Transitioning to a single trust anchor

By on 14 Aug 2017

Category: Tech matters

Tags: , ,

Blog home

APNIC is in the process of transitioning from the current Resource Public Key Infrastructure (RPKI) trust anchor arrangement to a new configuration which has been agreed among the RIRs, and announced by the NRO.

In this new configuration, each RIR will publish an “all resources” global trust anchor, under which its own regional resources (IP addresses and ASNs) will be certified.

In the case of APNIC, we will no longer maintain the current set of five trust anchors (which represent resources received from IANA and the four other RIRs), but will instead certify those resource sets within our certification hierarchy, as further described below.

This article explains the implications of these changes, and actions which may be needed by APNIC Members and other relying parties.

What do I need to do?

If you are registering ROAs via MyAPNIC or the RPKI provisioning protocol, the process is unchanged and you do not need to make any changes. Existing ROAs will not be affected by the transition either.

If you are using relying-party software, such as the Dragon Research Labs RPKI Toolkit or RIPE’s RPKI Validator, you are advised to update your software’s configuration to use only the new APNIC IANA trust anchor, rather than the five APNIC TAs that are used currently, once stage 3 is complete.

Note: this update is not critical. However, if it is not done, the software will log or report warnings about being unable to retrieve the trust anchors that are no longer being used.

What will change

Currently, the APNIC RPKI has:

  • Five trust anchors, one for resources APNIC receives directly from IANA and one for resources vested through other RIRs, with each containing the resources for which APNIC considers itself authoritative by way of delegation from that source).
  • Five online Certificate Authorities (CAs), each signed by one of the trust anchors and having the same set of resources as its signing trust anchor.
  • Member CAs, each signed by an online CA.

After the transition, there will be:

  • An expanded trust anchor (including originally marked resources from IANA), containing “all resources”.
  • A new, online-intermediate CA (signed by the new single APNIC trust anchor), also containing “all resources”.
  • Five online CAs, each signed by the intermediate CA, with one for resources we hold directly from IANA and others for resources held through each other RIR, with each containing the resources for which APNIC considers itself authoritative by way of delegation from that source.
  • Member CAs, each signed by one of the five online CAs.

The process

The transition process comprises four stages:

  1. Expand the existing trust anchor we consider resources from IANA, issue the new intermediate CA, and re-sign one of the existing online CAs under that intermediate CA.
  2. Re-sign the other online CAs under the new intermediate CA.
  3. Reduce the other trust anchors’ resources to AS0, to indicate that they are no longer in use.
  4. Remove the other trust anchors and their repositories.

Please see (this page) for the timeline of these stages.


Testing and validation

For details on how to enrol in the test environment, or on how to validate the test environment repository, see

This post was updated on 15 August to provide greater clarity on the changes being introduced.

The original deployment plan from this post was rescheduled after the initial posting. See (this page) for timeline details. Service announcements will follow after key stages.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *