diff --git a/CHANGES b/CHANGES
index ee5f6d52ee..f9e9f9d2ed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5904.	[func]		Changed dnssec-signzone -H default to 0 additional
+			NSEC3 iterations. [GL #3395]
+
 5903.	[bug]		When named checks that the OPCODE in a response matches
 			that of the request, if there is a mismatch named logs
 			an error.  Some of those error messages incorrectly
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index d303d57de3..330b581a2b 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -152,7 +152,7 @@ static dns_dbiterator_t *gdbiter; /* The database iterator */
 static dns_rdataclass_t gclass;	  /* The class */
 static dns_name_t *gorigin;	  /* The database origin */
 static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 10U;
+static dns_iterations_t nsec3iter = 0U;
 static unsigned char saltbuf[255];
 static unsigned char *gsalt = saltbuf;
 static size_t salt_length = 0;
diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 244fc64d61..64c900228a 100644
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -365,7 +365,7 @@ Options
 .. option:: -H iterations
 
    This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-   is 10.
+   is 0.
 
 .. option:: -A
 
diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in
index ffc5278ea0..cfa0cb5cbe 100644
--- a/doc/man/dnssec-signzone.1in
+++ b/doc/man/dnssec-signzone.1in
@@ -413,7 +413,7 @@ generating the NSEC3 chain.
 .TP
 .B \-H iterations
 This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-is 10.
+is 0.
 .UNINDENT
 .INDENT 0.0
 .TP
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index a85f1b3ab0..f687b1c452 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -35,7 +35,10 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- None.
+- :option:The `dnssec-signzone -H` default value has been changed to 0 additional
+  NSEC3 iterations. This change aligns the :iscman:`dnssec-signzone` default with
+  the default used by the :ref:`dnssec-policy <dnssec_policy_grammar>` feature.
+  :gl:`#3395`
 
 Bug Fixes
 ~~~~~~~~~