diff --git a/roles/knot/meta/argument_specs.yml b/roles/knot/meta/argument_specs.yml
index 44ce70f..0f886de 100644
--- a/roles/knot/meta/argument_specs.yml
+++ b/roles/knot/meta/argument_specs.yml
@@ -119,6 +119,14 @@ argument_specs:
           - If set to C(off), C(NSEC) is used, which allows full zone enumeration.
         type: str
         default: 'on'
+      knot_dnssec_policy_nsec3_salt_length:
+        description:
+          - Length of the NSEC3 salt field.
+          - >-
+            Use of a NSEC3 salt is discouraged by
+            U(RFC 9276,https://datatracker.ietf.org/doc/html/rfc9276#section-3.1).
+        type: int
+        default: 0
       knot_dnssec_policy_ksk_size:
         description:
           - Size (in bits) of the KSK.