Set default number of additional NSEC3 iterations to 0 in dnssec-signzone

We forgot to update dnssec-signzone while updating KASP defaults.

Closes: #3395
Related: #2956
(cherry picked from commit d029d6374d)

CHANGES

@@ -1,3 +1,6 @@
+5904.	[func]		Changed dnssec-signzone -H default to 0 additional
+			NSEC3 iterations. [GL #3395]
+
 5903.	[bug]		When named checks that the OPCODE in a response matches
 			that of the request, if there is a mismatch named logs
 			an error.  Some of those error messages incorrectly

bin/dnssec/dnssec-signzone.c

@@ -152,7 +152,7 @@ static dns_dbiterator_t *gdbiter; /* The database iterator */
 static dns_rdataclass_t gclass;	  /* The class */
 static dns_name_t *gorigin;	  /* The database origin */
 static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 10U;
+static dns_iterations_t nsec3iter = 0U;
 static unsigned char saltbuf[255];
 static unsigned char *gsalt = saltbuf;
 static size_t salt_length = 0;

bin/dnssec/dnssec-signzone.rst

@@ -365,7 +365,7 @@ Options
 .. option:: -H iterations
 
    This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-   is 10.
+   is 0.
 
 .. option:: -A
 

doc/man/dnssec-signzone.1in

@@ -413,7 +413,7 @@ generating the NSEC3 chain.
 .TP
 .B \-H iterations
 This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-is 10.
+is 0.
 .UNINDENT
 .INDENT 0.0
 .TP

doc/notes/notes-current.rst

@@ -35,7 +35,10 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- None.
+- :option:The `dnssec-signzone -H` default value has been changed to 0 additional
+  NSEC3 iterations. This change aligns the :iscman:`dnssec-signzone` default with
+  the default used by the :ref:`dnssec-policy <dnssec_policy_grammar>` feature.
+  :gl:`#3395`
 
 Bug Fixes
 ~~~~~~~~~