diff --git a/CHANGES b/CHANGES
index 8dd3c21acf..5feca1c308 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3386.	[bug]		Address locking violation when generating new NSEC /
+			NSEC3 chains. [RT #31224]
+
 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 
 3383.	[security]	A certain combination of records in the RBT could
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 7659c66489..17de457d74 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6035,6 +6035,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 			result = dns_dbiterator_next(nsec3chain->dbiterator);
 
 			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
 				CHECK(fixup_nsec3param(db, version, nsec3chain,
 						       ISC_FALSE, privatetype,
 						       &param_diff));
@@ -6344,6 +6345,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 			}
 		}
 		if (rebuild_nsec3) {
+			if (nsec3chain != NULL)
+				dns_dbiterator_pause(nsec3chain->dbiterator);
 			result = dns_nsec3_addnsec3s(db, version,
 						     dns_db_origin(db),
 						     zone->minimum, ISC_FALSE,
@@ -6361,6 +6364,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 	/*
 	 * Add / update signatures for the NSEC3 records.
 	 */
+	if (nsec3chain != NULL)
+		dns_dbiterator_pause(nsec3chain->dbiterator);
 	result = update_sigs(&nsec3_diff, db, version, zone_keys,
 			     nkeys, zone, inception, expire, now,
 			     check_ksk, keyset_kskonly, &sig_diff);
@@ -6384,8 +6389,6 @@ zone_nsec3chain(dns_zone_t *zone) {
 	}
 
 	if (updatensec) {
-		if (nsec3chain != NULL)
-			dns_dbiterator_pause(nsec3chain->dbiterator);
 		result = updatesecure(db, version, &zone->origin,
 				      zone->minimum, ISC_FALSE, &nsec_diff);
 		if (result != ISC_R_SUCCESS) {