Change nsec3param default to iter 0 salt-length 0

When using 'nsec3param' in 'dnssec-policy' and no specific parameters
are provided, default to zero additional iterations and no salt, as
recommended by draft-ietf-dnsop-nsec3-guidance.

doc/arm/reference.rst

@@ -5209,7 +5209,7 @@ The following options can be specified in a ``dnssec-policy`` statement:
 
     ::
 
-        nsec3param iterations 5 optout no salt-length 8;
+        nsec3param iterations 0 optout no salt-length 0;
 
     The default is to use NSEC.  The ``iterations``, ``optout`` and
     ``salt-length`` parts are optional, but if not set, the values in

lib/isccfg/kaspconf.c

@@ -30,8 +30,8 @@
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>
 
-#define DEFAULT_NSEC3PARAM_ITER	   5
-#define DEFAULT_NSEC3PARAM_SALTLEN 8
+#define DEFAULT_NSEC3PARAM_ITER	   0
+#define DEFAULT_NSEC3PARAM_SALTLEN 0
 
 /*
  * Utility function for getting a configuration option.