APNIC operates the RPKI system under a single trust anchor. This has been chosen to cover ‘all resources’ across IPv4, IPv6 and ASNs in line with a decision made by the NRO.
The TAL for APNIC RPKI, and for AS0 RPKI (Authenticated denial of unallocated and unassigned resources) are published here.
Both of these TAL are available in a range of formats: RFC7730, RFC6490, Ripe-Validator, and with the additional https URI for the certificate in the TAL.
1. APNIC RPKi TAL in RFC7730 format
Should APNIC change the TAL, this will be communicated widely, and software should be updated. The TAL can always be verified by referring to these web pages.
Under this single TAL, APNIC operates a number of subsidiary RPKI CAs to represent the states of Internet number resources we receive from IANA directly, and from other RIRs via transfers. This logistical separation means we can clearly identify transfers in from resources delegated down.
Previously, APNIC operated five distinct TALs, one for each of these cases (the four other RIRs and IANA). A transition plan was enacted which completed in February 2018 and is documented here.
2. Additional TAL for AS0
The Implementation of Prop132 (AS0 ROA for bogons) necessitates the use of an additional TAL, because we operate this service discretely, separated from the main service TAL.