MYNIC has place such restriction to protect the user from mistakenly change the name server without making proper consideration of DNSSEC. If the DS Records included in the .my zones for a server that did not match the keys, the domain name will be considered bogus and it cannot be successfully resolved. To avoid such situation, we need users to disable DNSSEC before any change to the name servers can be done. After the changes have taken place, the user may Enable DNSSEC again. However, do note that you need to load the keys again at the Update Key so that DNSSEC will continue to work.