Summary
- The IANA numbering function is strongest when treated as a contractable technical service: maintaining top-level IPv4, IPv6 and ASN state, processing policy-valid RIR requests, supporting reverse-DNS parent delegation and publishing public evidence that the global number record remains unique.
- Political ownership is the wrong frame. Neither a government, ICANN, PTI, a Regional Internet Registry nor NRS should be described as owning Internet numbers by virtue of operating a registry service. The defensible authority is narrower: perform specified coordination duties under agreed standards and remain replaceable if the service fails.
- A Number Resource Society-compatible model can be positive without being reckless. NRS can argue for holder portability, open verification, data proofs, auditability and freedom from incumbent veto while preserving global uniqueness and labelling recognised authority separately from supplemental evidence.
- The necessary architecture is contractual and evidentiary: signed current-state commitments, reconciliation against allocation registries, RDAP and reverse-DNS proof, RPKI continuity, incident and correction records, successor readiness, transparent qualification tests and a replacement process that protects operators from double registration or service hostage-taking.
The false choice around IANA
Debate about IANA is often pulled toward a false choice. One side treats IANA as the remaining public crown of Internet governance, a symbolic point that must be politically owned or politically defended. The other treats it as a neutral technical desk whose surrounding power questions are solved by good engineering manners. Neither description is enough for number resources.
The numbering function is not sovereign territory. It does not own every address, license every operator or rule every route. But it is also not a clerical afterthought. The top-level record of IPv4, IPv6 and autonomous system number delegations gives the registry system a common starting point. Reverse-DNS parent delegation, RDAP bootstrap data, RPKI hierarchy assumptions and global-policy recognition all rely, directly or indirectly, on a stable account of which registry is authoritative for which resources.
The right frame is contractable service. A contractable IANA function has named customers, named duties, measurable service expectations, evidence of performance, security and continuity obligations, data portability, dispute resolution and replacement rules. It is political only in the sense that institutions must decide who may perform the service and under what accountability terms. Its day-to-day legitimacy should rest on performance and proof, not ownership rhetoric.
This distinction matters for any Number Resource Society-compatible future. NRS's best positive argument is not that it can declare a new political authority over numbers. It is that number-resource coordination should be portable, verifiable and open enough that no incumbent service provider can convert technical reliance into permanent institutional veto. That argument succeeds only if global uniqueness is preserved more rigorously, not less.
What is contractable
The contractable part of IANA numbering is the performance of a defined service. It includes maintaining the top-level registries for unallocated or delegated IPv4, IPv6 and ASN resources; processing requests that satisfy global policy; recording returns or reallocations at the top level; supporting upper reverse-DNS delegations; maintaining relevant public registries; and sharing operational evidence with the parties that depend on the service.
The current IANA Numbering Services SLA already proves that such a service can be reduced to legal duties. It identifies ICANN as operator, the five RIRs as parties, valid request handling, performance reporting, security obligations, dispute resolution, non-renewal, termination and successor arrangements. It is not perfect. Its visible remedy path can be slow, and ordinary metric misses do not automatically become public cure plans. But the existence of the agreement refutes the idea that IANA numbering must be governed only by institutional trust.
The next step is to make the contract more data-native. A timing metric says whether a request was acknowledged or implemented within a period. A data-proof metric says whether the resulting state can be independently reconstructed. Did the top-level registry change from one exact state to another? Was the change linked to a policy-valid request? Was the prior state archived? Were all dependent public registries updated? Can a third party detect if two inconsistent histories were presented?
This is where NRS-compatible thinking can help. NRS emphasizes accurate bookkeeping and limited registry power. That philosophy should lead to a service contract where the operator's power is bounded by public evidence. The function does not become weaker when proof improves. It becomes less dependent on personal trust and incumbent reputation.
Global uniqueness is a data property before it is a political claim
The Internet Numbers Registry System described in RFC 7020 exists to distribute globally unique IP address space and AS numbers. Uniqueness is the central operational promise. It means two unrelated parties should not receive the same current resource from two authorities that both claim to be final. It also means that historical changes should be reconstructable enough to explain why the current state is what it is.
That promise can be expressed as a data property. At a given time, a resource range has one top-level status in the authoritative record: unallocated, reserved, delegated to a registry, returned, or otherwise marked under a defined category. A later state should extend or supersede the earlier state through a recorded change. Each change should identify its source authority, reason class, effective time, affected range and dependency effects.
Political ownership language obscures this. If a government claims ownership, the question becomes legitimacy of the government. If ICANN or an RIR is treated as owner, the service provider becomes harder to replace. If NRS claims ownership, it repeats the error it criticizes. None of those moves improves uniqueness. The practical question is whether all relying parties can verify the same current state and whether any deviation can be detected quickly.
Data proof cannot settle every dispute. A signed record can show that a decision was made, not that the decision was fair, lawful or commercially wise. A hash commitment can show that a document existed before a time, not that the signer had authority. A reconciliation report can show no overlap in the public top-level ledger, not that every regional member record is perfect. But those bounded propositions are still valuable. They narrow disagreement and make institutional claims testable.
A contractable IANA function should therefore treat uniqueness as a continuously proven state. The service operator should not merely say the registry is correct. It should publish enough structured evidence for qualified auditors, RIRs, NRS-style portability services and network operators to detect inconsistencies without exposing confidential material.
The service customer is wider than the contracting party
The current IANA numbering contract is between ICANN and the five RIRs. That makes sense because RIRs are the direct customers of top-level numbering allocations and reverse-DNS coordination. They submit requests, reimburse costs and supervise performance through the NRO structure. A contract needs counterparties, and the RIRs are the obvious legal customers.
Operational reliance is wider. A cloud provider deciding whether to accept BYOIP depends on the address record. A bank evaluating IPv4 collateral depends on transfer recognition. A network operator validating routes depends on RPKI trust. A public agency procuring connectivity depends on RDAP and reverse-DNS evidence. A holder trying to move service after registry failure depends on data portability. These actors may have no direct claim under the IANA SLA, but they bear the cost when top-level coordination is opaque or captive.
An NRS-compatible design should preserve the RIRs as necessary contracting parties while adding public reliance rights through evidence. That does not require every operator to sue the IANA operator. It requires verifiable records, public incident notices, independent audit summaries, holder-readable receipts and open qualification standards for any service that claims to support continuity.
The distinction between legal customer and operational relying party is common in critical infrastructure. A clearing house may contract with members while investors rely on settlement finality. A certificate authority may contract with subscribers while browsers and users rely on validation. A registry may contract with registrars while registrants and resolvers rely on the resulting state. The law does not always give every relying party a direct remedy, so the evidence layer becomes more important.
NRS can be useful at this layer. It can advocate for holder receipts, independent observation, portability packages and proof of continuity that make reliance less blind. It should not use reliance as a shortcut to authority. The safer claim is that wider reliance deserves wider verification, not wider political command.
A technical SLA should measure more than response time
The present SLA's timing promises are necessary. A valid request must be acknowledged, additional information must be requested within a defined period and ordinary implementation must occur within a defined period after the relevant starting point. If the operator cannot or will not fulfill a request within a longer period, it must explain status and reasons. These obligations prevent the service from disappearing into silence.
For a future contractable model, timing should be only the outer layer. The real service level is the integrity of state transition. A good SLA would measure request acceptance, rejection reasons, implementation latency, registry-state consistency, publication of prior and new state commitments, reverse-DNS propagation, RDAP bootstrap update alignment, RPKI trust effects, incident disclosure, correction latency and successor export readiness.
It would also distinguish severity. A late acknowledgement is not the same as a duplicate allocation. A stale RDAP bootstrap entry is not the same as a compromised signing key. A reverse-DNS delay is not the same as a loss of authoritative registry history. A mature SLA should have classes of incident, required explanation, cure period, public summary and escalation trigger for each class.
This is not bureaucracy for its own sake. Without severity classes, the strongest remedies are too strong and the ordinary metrics too weak. Termination is not a sensible response to every miss. Silence is not a sensible response to repeated or unexplained failure. Intermediate remedies make replacement credible because they create a trail: warning, public classification, correction plan, independent verification, repeated failure and then successor action.
NRS-compatible reform should insist on this middle layer. A future registry service cannot be accountable if the only options are institutional trust or institutional death. Contractable accountability lives between them.
Data proofs should be built into the service
The top-level numbering service should publish structured commitments to its current state. A commitment is not a full data dump. It can be a signed statement that binds a particular state file, time, change set and operator key. Independent parties can later confirm whether the state they received matches the committed record. If two incompatible commitments appear for the same time or sequence, equivocation becomes visible.
The proof set should include several layers. First, a signed current-state file covering top-level IPv4, IPv6 and ASN delegations, reservations and returns. Second, a signed change log that links each new state to a prior state and to a reason class. Third, a reconciliation report comparing RDAP bootstrap entries, reverse-DNS parent delegations and public IANA allocation registries. Fourth, an export package sufficient for a successor to reconstruct service without asking the incumbent to explain its own history from memory.
Privacy and security limits matter. Not every request document, staff exchange or authentication detail should be public. A proof can commit to protected material without exposing it. A public entry might say that a policy-valid request, authenticated by a named RIR role, supported a change and that the protected request record is held under defined access rules. Reviewers could then inspect the material if a dispute arises.
The result is bounded trust. Operators do not need to trust that every internal conversation was perfect. They need confidence that the public state has one history, that changes are attributable, that protected evidence exists, that auditors can inspect it and that a successor can use it. This is the same spirit behind RPKI manifests, repository synchronization and transparency logs: prove what can be proved, label what remains judgment and keep enough evidence for correction.
NRS should champion this proof discipline because it aligns with its bookkeeper premise. A better bookkeeper does not claim mystical authority. It keeps records that survive audit.
RPKI shows the importance of accepted trust, not self-declared authority
RPKI gives a hard lesson for any future numbering model. Certificates and signed entities can make route-origin authorization more verifiable, but their authority depends on accepted trust anchors and resource delegation. RFC 6480 describes a hierarchy rooted at IANA and extending through RIRs and lower tiers. A signature outside the accepted chain may be technically correct and operationally ignored.
For IANA, this means continuity of trust anchors is a service issue. If the top-level resource authority or supporting keys change, relying parties must receive clear, staged, authenticated information. RFC 8630's Trust Anchor Locator model and later trust-anchor key work show that bootstrap and key transition are governance problems as much as file-format problems. Relying parties need time, coexistence, multiple retrieval locations and confidence that a successor key is not an impostor.
For NRS, the same point is a boundary. NRS can publish supplemental holder evidence, continuity keys and signed receipts. It cannot make those globally authoritative merely by signing them. Operators must know whether a signature proves membership, holder assertion, independent review, recognised registry receipt or top-level delegation. Each proposition needs a different trust label.
A contractable IANA function should therefore separate trust classes. Authoritative top-level registry state should come from the accepted IANA operator or successor under the contract. Supplemental portability evidence may come from NRS or another assurance body. RPKI route-origin validity may come from the accepted certificate chain. Legal entitlement may require contracts, court records or regional registry decisions. Mixing these labels creates confusion and risk.
The positive future is not one root to rule every claim. It is an interoperable evidence environment where each root proves a narrow thing and where replacement of a service provider does not destroy historical proof.
RDAP and reverse DNS expose dependency chains
RDAP bootstrap and reverse DNS show why IANA cannot be reduced to an address-allocation table. RFC 9224 describes RDAP bootstrap registries generated from IANA allocation data with RDAP service information. The purpose is to direct users to authoritative registration data rather than rogue sources. RFC 3172 describes in-addr.arpa and ip6.arpa delegation through IANA and regional registries. These are dependency chains built on top-level recognition.
If the IANA operator or a successor mishandles these chains, the harm is practical. Query tools point to the wrong service. Abuse desks find stale records. Procurement checks fail. Reverse identity remains tied to an old delegation. RPKI and RDAP may disagree in ways that confuse relying parties. A holder trying to move after registry failure faces a public record that does not travel.
The contract should therefore require coherence across dependent surfaces. A top-level allocation change should trigger a check against RDAP bootstrap state. A reverse-DNS parent delegation change should have a recorded source and propagation report. A registry-service replacement should include a plan for public endpoints, caches, serials, certificates and notice to tool maintainers. A dispute should be marked without making the state unreadable.
This is where incumbent veto can hide. An incumbent registry or service provider may argue that only it understands the dependent surfaces and that replacement would endanger continuity. Sometimes that warning is true. Sometimes it is a bargaining position. Data proofs and rehearsed export packages help distinguish the two. If dependencies are documented and tested, continuity risk becomes manageable. If dependencies are private and personality-based, the incumbent becomes irreplaceable by design.
An NRS-compatible approach should be pro-continuity rather than anti-incumbent. It should not demand replacement for its own sake. It should demand that no incumbent can make replacement impossible by withholding evidence, formats, keys, historical state or service maps.
Replacement is a procedure, not a threat
The word "replacement" can sound destabilizing. For IANA numbering, it should mean the opposite: a tested path that allows the service to continue if the current operator materially fails, loses authority, cannot perform or is not renewed. The existence of a replacement path disciplines the incumbent precisely because it reduces panic.
A credible procedure begins long before failure. It defines qualification standards for a successor: technical capacity, neutrality, financial resilience, security controls, public reporting, data custody, key management, conflict rules, audit, language capability and continuity exercises. It requires the incumbent to maintain exportable state and provide cooperation. It defines who can trigger evaluation, who can approve a successor, how disputes are marked and how operators are notified.
The procedure must also protect uniqueness during transition. There should be a freeze or controlled-change period for certain top-level state. There should be reconciliation between incumbent and successor records. There should be a public cutover time, prior and new state commitments, emergency rollback rules, and a method for handling requests already in process. No holder should be able to exploit transition by presenting one record to one service and another record elsewhere.
Replacement should not depend on incumbent permission at the final moment. The incumbent should have due process, a chance to cure and a role in handover. It should not hold a veto after defined failure or non-renewal conditions are met. Otherwise the replacement right becomes theater.
This principle is central to the NRS-compatible thesis. Incumbents may be excellent. They may hold legitimate expertise. They should be heard. They should not be able to convert operational memory into permanent political ownership. The service belongs to the common uniqueness requirement, not to the office currently performing it.
Sovereignty language creates the wrong remedies
Number resources cross borders, but that does not make them sovereign territory. Governments have lawful authority over companies, contracts, taxes, sanctions, fraud, telecommunications licensing, insolvency and public safety within their jurisdictions. Those facts can affect registry evidence. They do not mean a state owns a prefix merely because a holder resides there or a registry is incorporated there.
Sovereignty language creates blunt remedies. If a state is said to own the resource, the registry becomes a diplomatic instrument. If a global corporation is said to own it, private governance hardens into quasi-sovereignty. If a regional registry is said to own it, member service turns into territorial control. If NRS claims ownership in response, the conflict merely changes flags.
The better remedy is contract and evidence. A court order can be recorded as a legal fact with a defined effect. A sanctions list can be processed through a service-classification and notice path. A regulator can require a domestic operator to act without rewriting the global top-level ledger. A registry can mark a dispute without reallocating resources prematurely. A successor can continue service without claiming political control.
This approach respects public authority where it belongs and prevents it from swallowing technical coordination. It also protects operators. They need predictable records, not sovereignty theatre. A bank financing IPv4 assets, a cloud accepting a route object, a public agency depending on a service or a small ISP transferring resources needs to know which institution will record a change and why. It does not benefit from grand claims about who owns the Internet.
NRS's strongest philosophy is the insistence that number-resource bodies are bookkeepers, not rulers. The contractable IANA model operationalizes that philosophy at the top: keep the book accurate, prove it, make the keeper replaceable and leave ordinary political authority outside the registry service.
No incumbent veto means objective qualification
Removing incumbent veto does not mean allowing any new entrant to claim authority. It means separating qualification from consent by the institutions whose market position would be threatened. A future service provider, including NRS if it seeks a role, should pass objective tests before receiving any recognised responsibility.
Those tests should be public. Can the candidate maintain globally reachable service endpoints? Can it protect keys? Can it process top-level requests under global policy without inventing policy? Can it publish signed state commitments and protected evidence receipts? Can it run RDAP bootstrap and reverse-DNS reconciliation exercises? Can it preserve confidentiality? Can it manage conflicts? Can it survive funding stress? Can it submit to independent review? Can it export data to another successor?
Incumbents should contribute to the test because they understand failure modes. Their evidence should be used. Their opposition should not be dispositive. A qualification regime controlled by incumbents becomes a cartel constitution. A qualification regime that ignores incumbent knowledge becomes unsafe. The answer is independent assessment against criteria agreed before a crisis.
The NRO, ICANN, IETF-adjacent technical experts, operators, holders, auditors and portability advocates can all contribute criteria. NRS can contribute the holder-portability and anti-capture view. The final rule should be service-neutral: whoever can meet the proof, continuity and accountability standards can be considered; whoever cannot should not receive recognition.
This is the practical meaning of a contractable function. Authority follows tested service obligations and accepted proof, not personality, history or veto.
The first NRS role is evidence, not replacement
A positive NRS-compatible article should not pretend that NRS already operates the IANA numbering service or an accepted global trust anchor. Its current public materials are advocacy, charter statements and membership terms. They establish philosophy and a member decision surface. They do not establish broad operator adoption, IANA delegation, RPKI root acceptance or global registry authority.
That limitation does not make NRS irrelevant. It identifies the right first role: build portable evidence services that can be evaluated without threatening uniqueness. NRS can issue reasoned membership receipts, protect member continuity keys, publish witnessed commitments to its own decisions, preserve holder-supplied evidence, support independent review of its admission or termination choices, and allow exit with verifiable history. It can show that a bookkeeper can be constrained by proofs.
From there, NRS can support holders in disputes, transfers or continuity planning by packaging evidence rather than declaring outcomes. A holder could carry signed history, corporate succession evidence, registry receipts, RPKI state, RDAP references, reverse-DNS records and dispute notes. Operators could verify that package while still checking authoritative IANA and RIR records. This would improve market and operational confidence without double allocation.
Only after such evidence services are proven should NRS seek more formal roles. A service that cannot explain its own membership decisions should not run a global registry. A service that can preserve evidence, support review, prove continuity and export state has a credible foundation for larger trust.
The positive case for NRS is therefore staged. First prove restraint. Then prove evidence. Then prove interoperability. Only then ask whether a recognised service role is justified.
The contract should protect holders as well as registries
The current numbering SLA is built around RIR customers, which is logical for top-level allocations. A future accountability model should add holder-facing protections without making each holder a contracting party. The contract can require the operator and successor to preserve evidence that holders need: historical top-level state, transfer-recognition markers, dispute notations, reverse-DNS delegation history, RPKI continuity information and public explanations of corrections.
Holder protections matter because registry service failures do not stop at institutional boundaries. If an RIR or top-level operator cannot prove continuity, a holder may lose cloud acceptance, loan value, transfer certainty, route-origin trust or public-sector eligibility. The holder may not care which institution failed; it cares that its resource history can still be verified.
The contract should therefore specify minimum export rights. On replacement, non-sensitive current state should be public. Protected evidence should move under escrow or independent custody. Holders should receive notice of records affecting them. Disputes should remain visible without publishing private allegations. Correction procedures should survive the handover. A successor should not start with a blank institutional memory.
This aligns with transfer market architecture. IPv4 scarcity has made number resources economically significant. A market cannot function if recognition disappears whenever the service provider changes. Finality requires a record that outlives the office. Portability requires proof that travels with the holder. Competition among registry services requires a way to move without duplicating resources.
NRS can press this holder-rights dimension while remaining faithful to uniqueness. The point is not to let a holder shop for the easiest registry. The point is to prevent a legitimate holder from being trapped by an unaccountable registry relationship when evidence can prove continuity.
Anti-fragmentation requires one state and many verifiers
The fear around alternative registry services is fragmentation: two incompatible records for the same resource, two RPKI views, two RDAP answers, two transfer histories and operators choosing sides. That fear is legitimate. A future model that treats every institution as equally authoritative by assertion would damage the very uniqueness it claims to protect.
The answer is not one unreplaceable institution. It is one authoritative current state, many verifiers and a defined procedure for changing the service provider that publishes that state. Verifiers can include RIRs, operators, NRS, auditors, researchers, cloud providers and public archives. Their job is to detect inconsistency, preserve evidence and hold the publisher accountable. They do not each create a conflicting current state.
This distinction is familiar in other systems. Many parties can verify a ledger without each minting the official balance. Many monitors can watch a transparency log without each issuing certificates. Many operators can validate RPKI without each assigning address space. Distributed verification strengthens a single state when roles are clear.
A contractable IANA function should encourage independent mirrors, witnessed commitments, reproducible state files, public validators and external audits. It should discourage private parallel states that look authoritative but do not reconcile. NRS should place itself on the verification side unless and until a recognised contract gives it a service role. That posture makes NRS safer and more persuasive.
Anti-fragmentation also means planning for emergency. If the incumbent fails, the successor should publish the same last valid state, not a preferred political rewrite. Corrections can occur after notice and evidence review. The first duty in transition is continuity of uniqueness.
Funding should follow the service, not the institution
A contractable function needs a funding model that pays for reliable service without making the operator irreplaceable. Funding should cover staff, security, infrastructure, audit, legal readiness, escrow, independent review, key management, continuity exercises and public reporting. It should not become a loyalty payment to the incumbent office.
If fees are routed through current institutions only, those institutions can frame replacement as financial chaos. If a successor has no guaranteed transition funding, the replacement right is hollow. If NRS or another candidate depends on opaque donor support, independence becomes questionable. The contract should therefore define service funding, reserve rules, transition funding and audit requirements in advance.
The current SLA uses reimbursement by RIRs for IANA numbering services. A future model could retain collective funding while making portions portable: escrow-funded transition support, independent assessor funding, public-proof infrastructure and emergency operating reserves. The money should attach to the service duties, not to the prestige of the incumbent.
This is not an argument for competitive tendering at machine speed. IANA numbering is too important for casual churn. It is an argument that a service provider should know it can lose the role for defined failure, and a successor should know it can perform without begging the incumbent for funds, data or cooperation.
Funding discipline is also an anti-politics discipline. Sovereignty stories often hide resource questions: who pays, who controls reserves, who funds litigation, who finances emergency staff. A contract puts those questions into numbers, audits and triggers.
Public proof should not become public exposure
More evidence is not always more public data. Number-resource records contain business relationships, contacts, security events, transfer negotiations, court materials and personal information. A proof-oriented IANA model should expose the minimum necessary to verify state, not every document behind a decision.
The public layer can show resource scope, current top-level status, issuer, sequence, time, reason class, dependent-service status and commitments to protected evidence. The protected layer can hold authenticated requests, identity proof, legal documents, staff analysis and security details under access rules. The audit layer can allow independent reviewers to confirm that protected evidence supports the public state without publishing the evidence itself.
This matters for NRS as well. A portability service that publishes too much will discourage holders and create security risk. A service that publishes too little will ask the world to trust it. The right answer is selective disclosure plus strong commitments: prove existence, integrity, sequence and reviewability; disclose contents only to parties with a legitimate need.
The design should also account for correction. If a public commitment includes a wrong state, the record should not be erased. It should be superseded with a correction, reason and link to the prior commitment. Historical integrity and current accuracy both matter. Deleting embarrassing records makes a bookkeeper untrustworthy; freezing false records makes it dangerous.
Proof without exposure is therefore a design requirement, not a slogan. It is how a global service can be accountable while respecting commercial and personal boundaries.
The replacement trigger should be precise
A replacement procedure is credible only when triggers are defined. Vague dissatisfaction is not enough. The service should identify conditions such as repeated material failure to meet high-severity service levels, refusal to provide required data export, security compromise without adequate cure, loss of legal capacity, insolvency affecting service, persistent failure to implement valid global policy requests, failure to preserve uniqueness, or non-renewal after due process.
Each trigger should have evidence. A repeated service miss requires metrics and incident classifications. A data-export failure requires proof of request and non-delivery. A security failure requires protected but reviewable findings. A uniqueness failure requires conflicting state records or duplicate delegation. A legal-capacity issue requires formal documents. The replacement decision should not rest on mood.
The procedure should also have a cure path. Some failures can be corrected. Some require temporary step-in without permanent replacement. Some require independent monitoring. Some justify immediate emergency action. The contract should distinguish them before a crisis.
NRS should support precise triggers because they prevent both capture and chaos. Incumbents cannot be removed merely because an alternative dislikes them. Incumbents also cannot stay merely because removal is politically awkward. The service standard, not institutional identity, does the work.
Precision also protects global uniqueness. During a contested replacement, operators need to know which state to rely on. A defined trigger and public notice reduce the risk that two institutions claim the same role at the same time.
The first contract should be testable without a crisis
A contractable IANA model should not wait for institutional failure before testing its promises. The first service contract, or the next revision of an existing one, should require regular exercises that prove the service can be reconstructed from evidence rather than institutional memory. A tabletop exercise is useful, but it is not enough. The operator should periodically produce a successor export, a current-state commitment, a dependent-service reconciliation and a sample protected-evidence packet for independent review.
The exercise should be narrow and safe. It should not move live authority. It should choose a historical change, a current delegation state, a reverse-DNS update path and an RDAP bootstrap relationship, then ask an independent reviewer to reconstruct what happened from the exported evidence. If the reviewer cannot tell which state is current, why it changed, which dependent surfaces were touched or what protected evidence supports the change, the service has a portability defect even if daily operations are green.
This kind of test would change incentives. An incumbent operator would know that it must maintain records in a successor-readable form. A potential successor would learn the real operating surface before a crisis. RIRs would learn which dependencies are poorly documented. Holders would gain confidence that their recognition history is not trapped in private systems. NRS and other external verifiers would be able to critique evidence quality without claiming authority over the live registry.
The test should include failure assumptions. What if the incumbent's main repository is unavailable? What if a signing key is rotated during the export period? What if a request is mid-review? What if a court order affects one holder but not the top-level delegation? What if RDAP bootstrap and reverse-DNS records disagree? What if one RIR disputes the exported state while four accept it? A contract that cannot answer these questions before failure will answer them under pressure later.
The public result can be limited. Security details, authentication material and private holder evidence should remain protected. But the reviewer can publish whether the export was complete, whether state was internally consistent, whether dependent services reconciled, whether protected evidence existed, whether recovery timing met expectations and which categories need correction. That is enough to make replacement credible without exposing sensitive records.
This testable-contract approach is where NRS can contribute most constructively. Instead of asking the world to choose between today's incumbents and tomorrow's challenger, NRS can ask every service provider to prove portability. The demand is neutral. If PTI passes, trust in PTI rises. If a future NRS service passes for its own records, trust in NRS rises. If an incumbent blocks the test, the community learns that the threat to continuity comes from opacity, not from the idea of replacement.
Regular testing also prevents reform from becoming a crisis weapon. The point is not to keep a successor waiting in ambush. The point is to make every operator behave as if the service, not the office, is the permanent thing. That is the central discipline of a contractable IANA function.
If the exercise is boring, it has succeeded. Boring proof is what keeps replacement lawful, calm and technically survivable when institutional confidence suddenly falls. It also gives operators a shared reference before rumor becomes route policy.
A future model can be radical by being narrow
The most radical change would be to make the IANA numbering function boringly contractable. Not symbolic. Not sovereign. Not owned. Not immune. A defined service, performed by a qualified operator, under visible metrics, data proofs, independent review, holder-sensitive evidence rules and real replacement.
That model is compatible with the best version of NRS. NRS can argue that registry power should be limited, evidence should travel, holders should not be captive, markets should receive reliable proof, and incumbents should remain replaceable. It can do so while insisting that the current authoritative state remains singular and that supplemental records must not masquerade as recognised allocation.
The model is also compatible with ICANN's legitimate role. ICANN can continue to coordinate at the top-most level where its mission requires it. PTI can continue to operate the function if it meets the service standard. RIRs can remain parties and policy developers. Operators can gain better proof. Holders can gain portability. Governments can act within ordinary jurisdiction without claiming ownership of the number space.
The tension is not between order and reform. It is between unreviewable order and verified order. A contractable IANA function chooses verified order. It says: keep one state, prove it, make the keeper accountable and prepare for replacement before replacement is needed.
That is the path by which global uniqueness can survive institutional change without becoming political property.

