diff --git a/roles/base/tasks/crypto-policies.yml b/roles/base/tasks/crypto-policies.yml
index 342da4cdc2..6324a0d102 100644
--- a/roles/base/tasks/crypto-policies.yml
+++ b/roles/base/tasks/crypto-policies.yml
@@ -28,7 +28,7 @@
 
 - name: Set crypto-policy on RHEL9 dns servers to DEFAULT:SHA1
   command: "update-crypto-policies --set DEFAULT:SHA1"
-  when: inventory_hostname.startswith('ns')
+  when: "inventory_hostname.startswith('ns') and (currentcryptopolicy.stdout.find('DEFAULT:SHA1') == -1 or cryptopolicyapplied.rc != 0)"
   check_mode: no
   tags:
   - crypto-policies