diff --git a/doc/Changelog b/doc/Changelog
index b0321ab60..3f5533b32 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+9 October 2008: Wouter
+	- negative cache caps max iterations of NSEC3 done.
+
 8 October 2008: Wouter
 	- NSEC negative cache for DS.
 
diff --git a/validator/val_neg.c b/validator/val_neg.c
index 49f96c2d2..b1d60950c 100644
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -75,7 +75,7 @@ int val_neg_zone_compare(const void* a, const void* b)
 	return dname_canon_lab_cmp(x->name, x->labs, y->name, y->labs, &m);
 }
 
-struct val_neg_cache* val_neg_create(struct config_file* cfg)
+struct val_neg_cache* val_neg_create(struct config_file* cfg, size_t maxiter)
 {
 	struct val_neg_cache* neg = (struct val_neg_cache*)calloc(1, 
 		sizeof(*neg));
@@ -83,6 +83,7 @@ struct val_neg_cache* val_neg_create(struct config_file* cfg)
 		log_err("Could not create neg cache: out of memory");
 		return NULL;
 	}
+	neg->nsec3_max_iter = maxiter;
 	neg->max = 1024*1024; /* 1 M is thousands of entries */
 	if(cfg) neg->max = cfg->neg_cache_size;
 	rbtree_init(&neg->tree, &val_neg_zone_compare);
@@ -832,6 +833,7 @@ static void neg_insert_data(struct val_neg_cache* neg,
 		uint8_t* s;
 		size_t slen, it;
 		if(nsec3_get_params(nsec, 0, &h, &it, &s, &slen) &&
+			it <= neg->nsec3_max_iter &&
 			(h != zone->nsec3_hash || it != zone->nsec3_iter ||
 			slen != zone->nsec3_saltlen || 
 			memcmp(zone->nsec3_salt, s, slen) != 0)) {
diff --git a/validator/val_neg.h b/validator/val_neg.h
index e1c949c0f..93c098a66 100644
--- a/validator/val_neg.h
+++ b/validator/val_neg.h
@@ -76,6 +76,8 @@ struct val_neg_cache {
 	size_t use;
 	/** max memory to use (bytes) */
 	size_t max;
+	/** max nsec3 iterations allowed */
+	size_t nsec3_max_iter;
 };
 
 /**
@@ -162,9 +164,10 @@ struct val_neg_data {
 /**
  * Create negative cache
  * @param cfg: config options.
+ * @param maxiter: max nsec3 iterations allowed.
  * @return neg cache, empty or NULL on failure.
  */
-struct val_neg_cache* val_neg_create(struct config_file* cfg);
+struct val_neg_cache* val_neg_create(struct config_file* cfg, size_t maxiter);
 
 /**
  * see how much memory is in use by the negative cache.
diff --git a/validator/validator.c b/validator/validator.c
index bcc8a5b7e..bd42d6f7f 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -121,13 +121,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
 		log_err("validator: error in trustanchors config");
 		return 0;
 	}
-	if(!val_env->neg_cache)
-		val_env->neg_cache = val_neg_create(cfg);
-	if(!val_env->neg_cache) {
-		log_err("out of memory");
-		return 0;
-	}
-	env->neg_cache = val_env->neg_cache;
 	val_env->date_override = cfg->val_date_override;
 	c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
 	if(c < 1 || (c&1)) {
@@ -140,6 +133,14 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
 		log_err("validator: cannot apply nsec3 key iterations");
 		return 0;
 	}
+	if(!val_env->neg_cache)
+		val_env->neg_cache = val_neg_create(cfg,
+			val_env->nsec3_maxiter[val_env->nsec3_keyiter_count-1]);
+	if(!val_env->neg_cache) {
+		log_err("out of memory");
+		return 0;
+	}
+	env->neg_cache = val_env->neg_cache;
 	return 1;
 }