diff --git a/CHANGES b/CHANGES
index cbf10e5db8..761ecfb031 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5904.	[func]		Changed dnssec-signzone -H default to 0 additional
+			NSEC3 iterations. [GL #3395]
+
 5903.	[bug]		When named checks that the OPCODE in a response matches
 			that of the request, if there is a mismatch named logs
 			an error.  Some of those error messages incorrectly
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 66abc6c002..9c35cd60f5 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -152,7 +152,7 @@ static dns_dbiterator_t *gdbiter; /* The database iterator */
 static dns_rdataclass_t gclass;	  /* The class */
 static dns_name_t *gorigin;	  /* The database origin */
 static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 10U;
+static dns_iterations_t nsec3iter = 0U;
 static unsigned char saltbuf[255];
 static unsigned char *gsalt = saltbuf;
 static size_t salt_length = 0;
diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index 244fc64d61..64c900228a 100644
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -365,7 +365,7 @@ Options
 .. option:: -H iterations
 
    This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-   is 10.
+   is 0.
 
 .. option:: -A
 
diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in
index ffc5278ea0..cfa0cb5cbe 100644
--- a/doc/man/dnssec-signzone.1in
+++ b/doc/man/dnssec-signzone.1in
@@ -413,7 +413,7 @@ generating the NSEC3 chain.
 .TP
 .B \-H iterations
 This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-is 10.
+is 0.
 .UNINDENT
 .INDENT 0.0
 .TP
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 44109bc994..3b77dcbc67 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -35,10 +35,10 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- In order to reduce unnecessary memory consumption in the cache,
-  NXDOMAIN records are no longer retained past the normal negative
-  cache TTL, even if ``stale-cache-enable`` is set to ``yes``.
-  :gl:`#3386`.
+- :option:The `dnssec-signzone -H` default value has been changed to 0 additional
+  NSEC3 iterations. This change aligns the :iscman:`dnssec-signzone` default with
+  the default used by the :ref:`dnssec-policy <dnssec_policy_grammar>` feature.
+  :gl:`#3395`
 
 Bug Fixes
 ~~~~~~~~~