To the technical community: As previously reported on this mailing list (http://list.waikato.ac.nz/pipermail/nznog/2011-December/018622.html), the encoding of the .nz DNSKEY is not RFC compliant. Although the majority of validators accept the key, we have recently become aware of validation failures in products from one supplier. Therefore we have decided to correct this issue now and then continue with DNSSEC deployment for the second level zones. Our plan, in broad terms, contains five steps: 1. Remove DS records for .nz from the root zone 2. Deploy patched software to the production servers 3. Resign the .nz zone 4. Confirm encoding is correct, including consultation with the supplier 5. Submit new DS records for .nz for inclusion in the root zone. This is a low risk and straightforward procedure compared to the alternative of performing a non-standard key rollover. The rollover needed to accomplish the same result is unusual, has never been attempted before and may carry unforeseen risks. Our plan will be executed over the next two weeks and once it is completed we will announce the DNSSEC deployment schedule for the second level zones starting with geek.nz. Kind Regards, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535