diff --git a/bin/named/config.c b/bin/named/config.c
index cfdcec0847..f7cc14dbaf 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -318,18 +318,6 @@ dnssec-policy \"default\" {\n\
 \n\
 dnssec-policy \"insecure\" {\n\
 	keys { };\n\
-\n\
-	dnskey-ttl " DNS_KASP_KEY_TTL "; \n\
-	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
-	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
-	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
-	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
-	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
-	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
-	max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\
-	zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\
-	parent-ds-ttl " DNS_KASP_DS_TTL "; \n\
-	parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\
 };\n\
 \n\
 "
diff --git a/bin/named/server.c b/bin/named/server.c
index da9c18138c..e36502863a 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9086,14 +9086,19 @@ load_configuration(const char *filename, named_server_t *server,
 	     element = cfg_list_next(element))
 	{
 		cfg_obj_t *kconfig = cfg_listelt_value(element);
+
 		kasp = NULL;
-		CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx,
+		CHECK(cfg_kasp_fromconfig(kconfig, default_kasp, named_g_mctx,
 					  named_g_lctx, &kasplist, &kasp));
 		INSIST(kasp != NULL);
 		dns_kasp_freeze(kasp);
-		if (strcmp(dns_kasp_getname(kasp), "default") == 0) {
+
+		/* Insist that the first built-in policy is the default one. */
+		if (default_kasp == NULL) {
+			INSIST(strcmp(dns_kasp_getname(kasp), "default") == 0);
 			dns_kasp_attach(kasp, &default_kasp);
 		}
+
 		dns_kasp_detach(&kasp);
 	}
 	INSIST(default_kasp != NULL);
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 932466aad7..7c476b1a68 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -511,9 +511,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup;
 		}
-	} else if (default_kasp && strcmp(kaspname, "insecure") != 0) {
+	} else if (default_kasp) {
 		dns_kasp_key_t *key, *new_key;
-
 		/*
 		 * If there are no specific keys configured in the policy,
 		 * inherit from the default policy (except for the built-in