RE: Cloudflare OCTO RPKI Validator - LACNIC CAs issues

Does anybody else have problems with Cloudflare’s RPKI Validator with prefixes from LACNIC?

We (Netflix) briefly saw Cloudflare’s public instance of OctoRPKI missing some ~13,000 ROAs on 2021-03-24 at ~12:30pm PT while our internal instance of OctoRPKI had a complete list. Upon comparing the two lists Cloudflare’s instance seemed to be missing ROAs from only LACNIC so I’m thinking we saw the same issue that you did.

I haven’t had a chance to really look into it and AFAIK we haven’t noticed the issue since but my guess for what’s happening is that OctoRPKI hits an error while downloading the ROAs from LACNIC but then continues to collect ROAs from the other RIRs resulting in an incomplete list. This seems to be the case from a quick glance at the code:

This could probably be changed to instead break out of that loop and propagate the error up to the main loop to let it continue without building an incomplete ROA list, but that’s just a quick guess… it’s possible that it’s built this way for a reason or there may be a better way to handle that failure mode.