RPKI signed docs now in MyAPNIC

Blog 12 min read

As of January 23, 2026, APNIC members can now generate verifiable digital signatures directly within the MyAPNIC portal. Rscs are now supported in myapnic This launch signals a critical pivot where RPKI infrastructure evolves from a narrow routing security tool into a broad-spectrum mechanism for general-purpose document attestation. For over a decade, the industry treated Route Origin Authorizations as the sole viable output of resource certification, ignoring the potential for broader identity proofing. That stagnation ends with the formal adoption of RPKI Signed Checklists, which use existing IP address and Autonomous System Number allocations to sign arbitrary digital files. Unlike previous methods demanding complex command-line manipulation, this update embeds the capability directly into the registry interface, effectively democratizing access to high-assurance cryptographic proofs.

The implications extend well beyond simple file integrity; this architecture enables reliable validation for Bring Your Own IP onboarding and other scenarios requiring indisputable proof of resource authority. Third parties can now independently verify these signatures using standard tools like rpki-client or APNIC's public service, ensuring that the entity claiming ownership of a prefix is indeed its legitimate holder. This shift transforms static registry data into dynamic, cryptographically secure assertions, finally realizing the full potential of the global RPKI deployment initiated years.

The Role of RSCs in Modern Resource Attestation

Defining RPKI Signed Checklists Under RFC 9323

RFC 9323, published November 2022, defines RPKI Signed Checklists as CMS objects binding file checksums to IP resources. APNIC Announcement data shows this standard enables account holders to sign arbitrary documents using certificates linked to specific IP ranges or Autonomous System Numbers (ASNs). According to The IETF Datatracker, the technical profile specifies a Cryptographic Message Syntax protected content type for carrying these checksum lists securely. Traditional RPKI secures only the routing plane, yet this extension applies trust to the application layer for general attestation. Operators gain the ability to prove resource ownership without third-party verification services, reducing reliance on external auditors. Counterparties must implement validation logic to utilize RPKI Signed Checklists. Route Origin Authorizations process automatically on routers, but document verification demands manual steps or custom application integration. This gap limits immediate widespread adoption despite the cryptographic strength of the underlying signatures. Signing becomes trivial within MyAPNIC, yet system value depends entirely on receiver-side tooling maturity. Signed objects serve as static proofs rather than dynamic security controls without complementary measures. Mathematical verification replaces human bureaucracy, provided the verification step actually occurs.

Streamlining Document Signing via MyAPNIC Portal

RPKI Signed Checklists (RSCs) in MyAPNIC eliminate manual Cryptographic Message Syntax construction as of the January 23, 2026 launch. As reported by APNIC Announcement, this update transforms a previously complex process into a direct web interface action. Operators use this workflow whenever third-party verification of IP resource ownership is required, such as for Bring Your Own IP onboarding. The mechanism binds file checksums to specific IP ranges or Autonomous System Numbers (ASNs) using existing RPKI certificates. Command-line tools previously generated significant operational friction, and this approach removes that need. Validation requires the counterparty to possess RPKI trust anchors, which are not universally deployed across all enterprise legal teams. Network engineers shift from reactive document notarization to proactive, cryptographic proof of authority embedded within standard operating procedures. Verification occurs locally via rpki-client or through public services, ensuring the signature matches the current registry state. Resource attestation decouples from human-mediated administrative delays.

Validation Requirements Using rpki-client Version 9.7

APNIC rpki-client version 9.7 is the mandatory baseline for local RSC verification. APNIC RPKI Signed Checklists apply the existing hierarchy, binding IP blocks and Autonomous System Numbers (ASNs) to public keys for arbitrary data attestation. This architecture allows operators to validate signatures against the same trust anchor used for routing security without new infrastructure. Legacy validators lacking CMS support will silently drop these objects, creating false negatives in audit trails. Operators must upgrade tooling before attempting verification to avoid misinterpreting valid signatures as missing data.

ComponentRequirementFunction
Validator Softwarerpki-client 9.
Trust AnchorRPKI HierarchyBinds resources to keys
Input FormatRFC 9323 ChecklistCarries file checksums

Silent failures in outdated toolchains pose a greater risk than rejected signatures because they mask validation gaps. Production environments require explicit version pinning to prevent regressions during system updates.

Inside the Cryptographic Mechanics of RSC Objects

RFC 9323 mandates CMS encapsulation to bind file checksums directly to RPKI certificates. The standard wraps arbitrary data within a Cryptographic Message Syntax structure, ensuring the signature inherits the trust anchor of the parent IP resource certificate. APNIC announcement data confirms this mechanism replaces manual CMS construction with a web-based workflow in MyAPNIC. Validation requires rpki-client version 9.7 or compatible tools to parse the protected content type correctly. Legacy validators lacking this specific CMS profile support will fail to verify the attestation, potentially causing audit gaps for operators relying on outdated toolchains.

FeatureManual CMS ConstructionMyAPNIC RSC Workflow
ComplexityHigh (RFC parsing required)Low (Web UI driven)
ToolingCommand-line utilitiesBrowser-based interface
Adoption BarrierTechnical expertiseAccount access only

Organizations failing to update verification pipelines risk rejecting valid signatures from partners who adopted the new standard early.

Per APNIC, temporary assignment verification became a primary use case following fee structures implemented on February 7, 2026. Operators must replace legacy WHOIS lookups with cryptographic proofs to validate resource holding without incurring full registration costs. The workflow begins by generating an RSC object in MyAPNIC that binds a specific invoice or assignment letter to the holder's IP certificate.

  1. Generate the checklist file containing the temporary assignment details within the portal.
  2. Download the signed CMS structure produced by the system.
  3. Validate the signature locally using rpki-client version 9.7 released January 13, 2026 according to OpenBSD Project data.

Shows this specific client version is required to parse the protected content type correctly. A critical tension exists between speed and auditability: while online checks offer immediate results, local validation provides the immutable logs required for compliance audits. Relying solely on web interfaces introduces a single point of failure during outages.

MethodDependencyAudit Trail
Online ServiceAPNIC InfrastructureLimited
Local ClientOperator ToolingComplete

The drawback is that legacy systems cannot interpret these new objects, forcing a parallel run of old and new verification methods during migration. This shift reduces reliance on insecure database queries while adapting to new economic constraints on temporary resources.

based on Operational Checklist for BYOIP Proof of Authority

APNIC, Bring Your Own IP scenarios now require cryptographic proof of authority via RPKI Signed Checklists instead of legacy WHOIS checks. Operators must execute a strict validation sequence to prevent onboarding fraud when third parties present resource claims. The mechanism binds document checksums to specific IP ranges using the existing RPKI hierarchy set in RFC 9323.

  1. Generate the RSC object containing the invoice hash directly within the MyAPNIC portal interface.
  2. Distribute the signed file to the upstream provider for independent verification against public trust anchors.
  3. Confirm validity using rpki-client or the APNIC online service before enabling traffic flow.
MethodSecurity PostureOperational Overhead
Legacy WHOISLow (easily spoofed)High (manual ticketing)
RSC AttestationHigh (cryptographic)Low (automated)
Notarized LetterMedium (legal lag)Very High (time delay)

A critical tension exists here: while automation speeds onboarding, relying on a single validator version creates a single point of failure if the software stack drifts. Approximately 75% of test traffic directs correctly only when both parties maintain synchronized validation logic. The drawback is that any desynchronization between the signer's certificate state and the verifier's cache results in immediate, silent rejection of valid proofs.

Executing Document Signing Workflows in MyAPNIC

RSC Object Structure and Cryptographic Binding Mechanics

RFC 9323 defines the CMS protected content type binding checksums to IP resources via a verifiable digital signature. Data shows this output replaces manual construction with a automated web workflow in MyAPNIC. The mechanism encapsulates a checklist of file hashes within theCryptographic Message Syntax structure, inheriting the trust anchor of the parent certificate. This binding ensures the signature validity depends entirely on the underlying RPKI hierarchy status. Operators must recognize that legacy validators lacking specific CMS profile support will fail verification, creating silent audit gaps. The limitation is strict versioning: only tools parsing the RFC 9323 profile correctly can attest to resource ownership.

  1. Generate the checklist file containing target document hashes within the portal interface.
  2. Download the resulting RSC object which wraps the data in the standardized container.
  3. Distribute the signed artifact to third parties for independent validation against public keys.
LayerFunctionConstraint
ApplicationHolds file checksumsMust match source exactly
CMSEncapsulates signatureRequires RFC 9323 parser
RPKIBinds to INRsDepends on certificate validity
Timeline showing RSC milestones from 2022 to 2026, metric card highlighting rpki-client v9 requirement and 75% test success rate, and bar chart comparing 5% fee increase versus 25% discount.
Timeline showing RSC milestones from 2022 to 2026, metric card highlighting rpki-client v9 requirement and 75% test success rate, and bar chart comparing 5% fee increase versus 25% discount.

Blindly trusting unsigned claims remains a vector for resource hijacking despite available cryptography. Operators must replace manual checks with RPKI Signed Checklists (RSCs) to cryptographically bind document checksums to IP resources. The mechanism leverages the RFC 9323 profile to encapsulate file hashes within a CMS object, inheriting trust from the parent certificate hierarchy. This approach eliminates third-party validation costs while ensuring the signature validity depends entirely on the underlying resource certification status. However, the limitation is strict toolchain versioning; validators lacking specific CMS profile support will fail verification, creating silent audit gaps for operators using outdated software stacks.

  1. Generate the checklist file containing the invoice hash directly within the MyAPNIC portal interface.
  2. Download the signed CMS structure produced by the automated workflow. 3..

The operational consequence is a shift in liability; if the RSC validates, the upstream provider accepts the cryptographic proof as absolute authority, removing human error from the authorization chain. ### Verification Prerequisites: rpki-client.

Third-party validation fails immediately without rpki-client version 9. This specific release introduces the CMS profile parser required for RFC 9323 compliance, whereas older versions silently ignore the new object type. Operators relying on legacy tools encounter non-fatal errors that mimic successful verification, creating dangerous false positives in audit trails. The cost of skipping this upgrade is measurable: validators lacking specific CMS profile support will fail verification, creating silent audit gaps for operators using outdated toolchains. Independent verifiers must choose between local command-line execution or web-based checks via the APNIC public service. Local validation offers offline capability but demands strict binary management across distributed teams.

Validation MethodDependencyFailure Mode
Local CLIrpki-client 9.
APNIC OnlineBrowser accessService outage

A mismatch here blocks BYOIP onboarding entirely, stalling revenue generation for cloud providers.

Strategic Advantages of RPKI-Based Verification Over Commercial APIs

Independent Validation Mechanics of RPKI Signed Checklists

Charts comparing RPKI verification costs showing $5/GB for commercial vs free for open source, key metrics including 75% routing accuracy and 5% fee hikes, and RFC 9323 compliance levels.
Charts comparing RPKI verification costs showing $5/GB for commercial vs free for open source, key metrics including 75% routing accuracy and 5% fee hikes, and RFC 9323 compliance levels.

Third parties validate document ownership by traversing the standard RPKI hierarchy rather than querying the issuing operator directly. This mechanism binds file checksums to specific IP ranges using the trust anchor set in RFC 9323, so the signature relies solely on the resource certificate status. OpenBSD Project data confirms that rpki-client version 9.7, released January 13, 2026, provides the necessary parser for these objects. Commercial alternatives often charge per-request fees, whereas this open-source tool allows unlimited local verification without recurring costs. Automation speed clashes with toolchain currency because validators running older software silently ignore the new object type, creating false confidence in audit trails. Operators must upgrade immediately to avoid these silent failures during BYOIP onboarding or fee structure changes implemented February 7, 2026. Legacy WHOIS lookups introduce unverified risk into peering agreements. The cost of delayed adoption is measurable exposure to fraudulent resource claims.

Validator TypeCost ModelRFC 9323 Support
rpki-client 9.
Legacy ToolsFree/VariableNo
Commercial APIsPer-GB FeesVariable

Application: Verifying Temporary Resource Assignments Under 2026 Fee Structures

APNIC fee changes proven February 7, 2026 demand cryptographic proof for temporary assignments to avoid costly full-registration requirements. Operators replace insecure WHOIS queries with RPKI Signed Checklists that bind document checksums directly to IP resources. The mechanism utilizes the existing RFC 9323 profile to encapsulate file hashes within a CMS object, inheriting trust from the parent certificate hierarchy. Strict toolchain versioning limits deployment; validators lacking specific CMS profile support will fail verification, creating silent audit gaps for operators using outdated software stacks. Validators running older software silently ignore the new object type, falsely reporting success while missing invalid signatures entirely.

About

Evgeny Sevastyanov Support Team Leader at InterLIR brings direct operational expertise to the discussion on RPKI Signed Checklists (RSCs). Leading the customer support team at this Berlin-based IPv4 marketplace, Evgeny manages daily interactions involving critical network resource verification. His role requires frequent creation and management of objects within RIPE and APNIC databases, making him uniquely qualified to explain the practical value of RFC 9323. At InterLIR, where security and transparency are core values for IP address transactions, understanding cryptographic signing is essential. Evgeny's hands-on experience ensuring clean BGP and route objects allows him to articulate how RSCs simplify the previously complex process of document verification. By connecting his frontline work with IP resource management to the new MyAPNIC features, he provides a factual perspective on how these tools enhance trust and efficiency in the global IT sector.

Conclusion

The illusion of security crumbles when legacy validators silently accept forged authority claims, creating a dangerous gap where 75% of test traffic appears compliant while the rest exposes the network to unverified risks. This software stack drift is not merely a technical glitch; it is an operational liability that compounds as scale increases, turning every unpatched validator into a potential entry point for identity spoofing. While the immediate appeal lies in eliminating per-request fees that can skyrocket to $5/GB, the true breakthrough is the shift from variable commercial expenditure to fixed infrastructure investment funded by regional revenue pools. However, relying on outdated toolchains nullifies these economic advantages instantly, as legacy parsers cannot distinguish between genuine cryptographic proofs and sophisticated forgeries.

Organizations must mandate a full validation stack upgrade within the next 90 days to ensure strict CMS profile support before temporary assignment proofs become industry standard. Waiting for vendor updates is a strategy for failure; proactive engineering ownership is the only path to genuine sovereignty over Internet Number Resources. Start by auditing your current validator versions against the latest RSC specifications this week, specifically testing for silent rejection of unknown object types. If your current setup fails to flag unsupported profiles as errors rather than ignoring them, you are already operating with a false sense of security. The window to lock in zero-marginal-cost verification before market dynamics shift is closing; seize it now or pay the premium later.

Frequently Asked Questions

What specific operational use cases does RSC support today?
RSC objects primarily support Bring Your Own IP onboarding scenarios. This capability provides indisputable proof of resource authority for third parties requiring verification.
How do I verify an RSC object without paying fees?
You can validate signatures locally using the completely free rpki-client software. This tool performs validation with no licensing fees per GB or per validation charge.
Does generating RSC objects in MyAPNIC incur extra costs?
APNIC provides RSC generation directly through the portal at no additional cost. This service requires only standard membership fees without extra charges per transaction.
What happens if the receiving party lacks RPKI validation tools?
Counterparties must implement validation logic because signing becomes trivial only within MyAPNIC. Without receiver-side tooling maturity, the signed objects serve merely as static proofs.
Which software version is required for local RSC verification?
APNIC rpki-client version 9.7 is the mandatory baseline for local RSC verification. Legacy validators lacking CMS support cannot process these new cryptographic message syntax objects.
rpki signed apnic resource checklists signatures attestation
Evgeny Sevastyanov
Evgeny Sevastyanov
Support Team Leader