This study addresses ambiguities, contradictions, and underspecified requirements in the RPKI standards (RFCs), which have led to inconsistent implementations and real-world security vulnerabilities. For the first time, we systematically establish a causal link between RFC specification flaws and deployed vulnerabilities by integrating differential fuzz testing, global RPKI data collection, validator log analysis, and RFC semantic comparison. Our investigation uncovers 61 undocumented discrepancies in validation behavior, 23 of which directly stem from defects in the RFCs, and identifies two previously unknown vulnerabilities assigned CVE identifiers. Based on these findings, we propose targeted improvements to the RPKI standards and develop the first real-time alerting service to monitor deployment inconsistencies. All datasets and tools are publicly released.

The Resource Public Key Infrastructure (RPKI) secures the Internet's routing system by defining a complex trust and validation framework for certificates, Route Origin Authorizations (ROAs), manifests, and Certificate Revocation Lists (CRLs). These mechanisms are specified across dozens of RFCs. This paper presents the first comprehensive analysis of the causal link between flaws in RPKI Requests for Comments (RFCs) and vulnerabilities in implementations and real-world deployments. We reveal how vague, conflicting, or underspecified requirements in 50 RPKI RFCs propagate into inconsistent implementation behavior and operational failures. We conduct the first large-scale, impact-driven evaluation of RPKI specifications. Our methodology combines differential fuzzing of major RPKI implementations with Internet-wide crawling and validation log analysis, enabling us to trace practical vulnerabilities back to flawed RFC requirements. We uncover 61 previously undocumented inconsistencies in validation behavior, trace 23 directly to RFC flaws, and identify two novel vulnerabilities that were assigned CVEs. Our findings reveal that these are not isolated coding errors but rather systemic issues inherent in how RPKI standards are written, interpreted, and implemented. To mitigate these threats, we propose concrete recommendations and introduce a novel alerting service that monitors and reports live inconsistencies in RPKI deployments. Our open-source datasets, code, and tools support reproducibility and further research.