diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md
index 1fa8513c..e033b576 100644
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@@ -23,7 +23,8 @@ Run the complete base installation:
       :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
 
       :local CertSettings [ /certificate/settings/get ];
-      :if (!((($CertSettings->"builtin-trust-store") ~ "fetch" || \
+      :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+              ($CertSettings->"builtin-trust-store") ~ "fetch" || \
               ($CertSettings->"builtin-trust-store") = "all") && \
              [ :len [ /certificate/builtin/find where common-name=$CertCommonName ] ] > 0)) do={
         :put "Importing certificate...";
diff --git a/README.md b/README.md
index 7458ca24..02aab665 100644
--- a/README.md
+++ b/README.md
@@ -100,11 +100,13 @@ including demonstration recorded live at [MUM Europe
 The update script does server certificate verification, so first step is to
 download the certificates.
 
-> 💡️ **Hint**: RouterOS comes with a builtin certificate store. You
+> 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You
 > can skip the steps regarding certificate download and import and jump
 > to [installation of scripts](#installation-of-scripts) if you set the
-> certificates to be trusted my the `fetch` command at least. But make
-> sure not to drop other targets:  
+> trust for these builtin trust anchors:  
+> `/certificate/settings/set builtin-trust-anchors=trusted;`  
+> With RouterOS 7.21 the functionality was changed. Set this at minimum,
+> but make sure not to drop other targets:  
 > `/certificate/settings/set builtin-trust-store=fetch;`
 
 If you intend to download the scripts from a
diff --git a/global-functions.rsc b/global-functions.rsc
index 5694bbfd..8e04a9a7 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -128,7 +128,8 @@
   }
 
   :local CertSettings [ /certificate/settings/get ];
-  :if ((($CertSettings->"builtin-trust-store") ~ $UseFor || \
+  :if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+        ($CertSettings->"builtin-trust-store") ~ $UseFor || \
         ($CertSettings->"builtin-trust-store") = "all") && \
        [ :len [ /certificate/builtin/find where common-name=$CommonName ] ] > 0) do={
     :return true;
@@ -1014,9 +1015,32 @@
 
 # return an IPv6 netmask for CIDR
 :set NetMask6 do={
-  :local CIDR [ :tonum $1 ];
+  :local FuncName $0;
+  :local CIDR [ :tostr $1 ];
 
-  :return (((~::) << (128 - $CIDR)) & (~::));
+  :global IfThenElse;
+  :global MAX;
+  :global MIN;
+
+  :global NetMask6Cache;
+
+  :if ([ :typeof ($NetMask6Cache->$CIDR) ] = "ip6") do={
+    :return ($NetMask6Cache->$CIDR);
+  }
+
+  :if ([ :typeof $NetMask6Cache ] = "nothing") do={
+    :set NetMask6Cache ({});
+  }
+
+  :local Mask "";
+  :for I from=0 to=7 do={
+    :set Mask ($Mask . \
+      [ :convert from=num to=hex (0xffff - (0xffff >> [ :tonum [ $MIN [ $MAX ($CIDR - (16 * $I)) 0 ] 16 ] ])) ] . \
+      [ $IfThenElse ($I < 7) ":" ]);
+  }
+  :set Mask [ :toip6 $Mask ];
+  :set ($NetMask6Cache->$CIDR) $Mask;
+  :return $Mask;
 }
 
 # prepare NotificationFunctions array