diff --git a/src/knot/dnssec/context.c b/src/knot/dnssec/context.c
index c2abe1732d0947f79152d0ea0afe64df3e1c00c0..6547b103903acada4820277b964dd4350dcbbaf8 100644
--- a/src/knot/dnssec/context.c
+++ b/src/knot/dnssec/context.c
@@ -272,7 +272,8 @@ int kdnssec_validation_ctx(conf_t *conf, kdnssec_ctx_t *ctx, const zone_contents
 	policy_load(ctx->policy, &policy_id);
 
 	int ret = kasp_zone_from_contents(ctx->zone, zone, ctx->policy->single_type_signing,
-	                                  ctx->policy->nsec3_enabled, &ctx->keytag_conflict);
+	                                  ctx->policy->nsec3_enabled, &ctx->policy->nsec3_iterations,
+	                                  &ctx->keytag_conflict);
 	if (ret != KNOT_EOK) {
 		memset(ctx->zone, 0, sizeof(*ctx->zone));
 		kdnssec_ctx_deinit(ctx);
diff --git a/src/knot/dnssec/kasp/kasp_zone.c b/src/knot/dnssec/kasp/kasp_zone.c
index 3f07c283e68738a02bd615c9c640c6ae3d912240..e9c157e2d9b90fdc7a12ac583ec35f2d90b3f1e9 100644
--- a/src/knot/dnssec/kasp/kasp_zone.c
+++ b/src/knot/dnssec/kasp/kasp_zone.c
@@ -310,6 +310,7 @@ int kasp_zone_from_contents(knot_kasp_zone_t *zone,
                             const zone_contents_t *contents,
                             bool policy_single_type_signing,
                             bool policy_nsec3,
+                            uint16_t *policy_nsec3_iters,
                             bool *keytag_conflict)
 {
 	if (zone == NULL || contents == NULL || contents->apex == NULL) {
@@ -372,6 +373,8 @@ int kasp_zone_from_contents(knot_kasp_zone_t *zone,
 		memcpy(zone->nsec3_salt.data,
 		       knot_nsec3param_salt(zone_ns3p->rdata),
 		       zone->nsec3_salt.size);
+
+		*policy_nsec3_iters = knot_nsec3param_iters(zone_ns3p->rdata);
 	}
 
 	detect_keytag_conflict(zone, keytag_conflict);
diff --git a/src/knot/dnssec/kasp/kasp_zone.h b/src/knot/dnssec/kasp/kasp_zone.h
index a1e34bf0b631ca75ad088e4878a6ca956b23f19f..6ebe79e165760373089ddddc0ad7697eddeac4f4 100644
--- a/src/knot/dnssec/kasp/kasp_zone.h
+++ b/src/knot/dnssec/kasp/kasp_zone.h
@@ -50,4 +50,5 @@ int kasp_zone_from_contents(knot_kasp_zone_t *zone,
                             const zone_contents_t *contents,
                             bool policy_single_type_signing,
                             bool policy_nsec3,
+                            uint16_t *policy_nsec3_iters,
                             bool *keytag_conflict);
diff --git a/src/knot/dnssec/nsec-chain.c b/src/knot/dnssec/nsec-chain.c
index 74fd864b350ac44bba1cf582da32f965984f0584..ab64310c651600d7803d4e41f5394456826aee8e 100644
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -287,7 +287,9 @@ static bool node_nsec3_unmatching(const zone_node_t *node, const dnssec_nsec3_pa
 	}
 	knot_rdata_t *rdata = nsec3->rdata;
 	for (int i = 0; i < nsec3->count; i++) {
-		if (knot_nsec3_salt_len(rdata) == params->salt.size &&
+		if (knot_nsec3_alg(rdata) == params->algorithm &&
+		    knot_nsec3_iters(rdata) == params->iterations &&
+		    knot_nsec3_salt_len(rdata) == params->salt.size &&
 		    memcmp(knot_nsec3_salt(rdata), params->salt.data, params->salt.size) == 0) {
 			return false;
 		}