Updating RPKI trust anchor configuration

By on 27 Feb 2018

Category: Tech matters

Tags: ,

Blog home

APNIC has completed the process of transitioning from its previous Resource Public Key Infrastructure (RPKI) trust anchor arrangement to a new single trust anchor configuration. Each RIR will publish an ‘all resources’ global trust anchor, under which its own regional resources (IP addresses and ASNs) will be certified.

APNIC’s new trust anchor configuration includes:

  • An expanded trust anchor (including originally marked resources from IANA), containing “all resources”.
  • A new, online-intermediate CA (signed by the new single APNIC trust anchor), also containing “all resources”.
  • Five online CAs, each signed by the intermediate CA, with one for resources we hold directly from PTI and others for resources held through each other RIR, with each containing the resources for which APNIC considers itself authoritative by way of delegation from that source.
  • Member CAs, each signed by one of the five online CAs.

What do I need to do?

If you are registering ROAs via MyAPNIC or the RPKI provisioning protocol, the process is unchanged and you do not need to make any changes. Existing ROAs will not be affected by the transition either.

If you are using relying-party software, such as the Dragon Research Labs RPKI Toolkit or the RIPE NCC’s RPKI Validator, you are advised to update your software’s configuration to use only the current APNIC trust anchor, rather than the five APNIC trust anchors that were previously in use.

Note: this update is not critical. However, if it is not done, the software will log or report warnings about being unable to retrieve the trust anchors that are no longer being used.


  • If you upgrade to RIPE validator rpki-validator-app-2.24 the correct Trust Anchor is configured. No further work is required.

Dragon Research Labs Rcynic Validator

  • If you run rcynic, you need to remove all the TAL, TA and CER entries in rcynic.conf except the ones which point to apnic-rpki-root-iana-origin.cer and the related TAL.


  • To modify an installed RPSTIR system, locate the /usr/local/etc/rpstir directory and remove all but the current live APNIC TAL.

More information is available on how to update the trust anchor configuration in popular relying-partner software.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *