How it works
We run three independent Routinator instances (one per live PoP), each pulling from the five RIR Trust Anchors. Validators feed the route servers via the RPKI-RTR protocol with a 5-minute SLURM-eligible refresh.
The validation outcome is encoded as a community on accepted prefixes:
202192:2000— RPKI valid202192:2001— NotFound (no covering ROA)- Invalid announcements are dropped before the prefix enters the RIB.
Live counters (last 24h)
Publishing your own ROAs
Members are required to publish ROAs for every prefix announced. Most RIRs offer hosted RPKI in their member portals:
- RIPE NCC — Hosted ROA editor.
- ARIN — Hosted or delegated.
- APNIC — Hosted.
- AFRINIC — Hosted.
- LACNIC — Hosted.
maxLength gotcha
Don't set maxLength wider than your most-specific announcement. A common mistake is creating a single ROA with maxLength=24 for a /22 — this opens forged-origin attacks for any sub-prefix you never announce. Keep ROAs as tight as your real announcements.
Verifying validation status
# Public validators that mirror RIR data:
$ dig +short txt 198.51.100.0/24.origin.asn.cymru.com
$ curl -s https://rpki-validator.ripe.net/api/v1/validity/AS65500/198.51.100.0/24
# Or use the DATAHUB-IX Looking Glass:
rs1.fks> show route 198.51.100.0/24 | match validationBGPSec & ASPA
BGPSec is not yet enforced on the route servers. ASPA (Autonomous System Provider Authorization) validation is on the roadmap for 2026 Q4 — once the IETF draft becomes RFC.