Single Trust Anchor transition (completed 2018)

30 October 2017: Stages 1-3 are now complete in production. If you are running relying party software, you can now remove the deprecated trust anchors from your configuration: see “What do I need to do?”.

APNIC transitioned from the current RPKI trust anchor arrangement to a new configuration, which has been agreed among the RIRs and announced by the NRO.

In this new configuration, each RIR will publish an ‘all resources’ global trust anchor, under which its own regional resources (IP addresses and ASNs) will be certified.

APNIC no longer maintains the previous set of five trust anchors (which represent resources received from IANA and the four other RIRs) but instead certifies those resource sets within its certification hierarchy, as further described below.

This page explains the implications of these changes, and actions that may be needed by APNIC Members and other relying parties.

What do I need to do?

If you are registering ROAs via MyAPNIC or the RPKI provisioning protocol, the process is unchanged and you do not need to make any changes. Existing ROAs will not be affected by the transition either.

If you are using older versions of relying-party software, such as the Dragon Research Labs RPKI Toolkit or RIPE’s RPKI Validator, you are advised to update your software’s configuration to use only the new APNIC IANA trust anchor. New releases of all relying party validators include the new APNIC single Trust Anchor automatically. Nothing more needs to be done, if you upgrade or have upgraded..

Note: this update is not critical. However, if it is not done, the software will log or report warnings about being unable to retrieve the trust anchors that are no longer being used.

What changed

APNIC had:

  • Five trust anchors, one for resources APNIC received directly from IANA and one for resources vested through other RIRs, with each containing the resources for which APNIC considers itself authoritative by way of delegation from that source.
  • Five online Certificate Authorities (CAs), each signed by one of the trust anchors and having the same set of resources as its signing trust anchor.
  • Member CAs, each signed by an online CA.

After the transition, there is

  • An expanded trust anchor (including originally marked resources from IANA), containing ‘all resources’.
  • A new, online-intermediate CA (signed by the new single APNIC trust anchor), also containing ‘all resources’.
  • Five online CAs, each signed by the intermediate CA, with one for resources we hold directly from IANA and others for resources held through each other RIR, with each containing the resources for which we consider itself authoritative by way of delegation from that source.
  • Member CAs, each signed by one of the five online CAs.

The process

The transition process comprises four stages:

  1. Expand the existing trust anchor for resources from IANA, issue the new intermediate CA, and re-sign one of the existing online CAs under that intermediate CA.
  2. Re-sign the other online CAs under the new intermediate CA.
  3. Reduce the other trust anchors’ resources to AS0, to indicate that they are no longer in use.
  4. Remove the other trust anchors and their repositories.

See a visual representation of the transition.

The timeline

9 October – 12 OctoberStep through the transition in the test environment, with one stage happening on each day.
23 OctoberStage 1 in production
25 OctoberStage 2 in production
30 OctoberStage 3 in production
8 January 2018Stage 4 in production