Summary

  • The AFRINIC crisis makes the next institutional question unavoidable: if discretionary registry power has to be narrowed or moved, the transition must protect resource records, live services and users before it settles who governs.
  • The useful rehearsal does not begin with a scandal headline.

The morning-after question is whether the registry can be bypassed without breaking the network

The useful rehearsal does not begin with a scandal headline. It begins with an operator sitting in front of a dependency map and asking a blunter question: if a regional registry office could not be trusted tomorrow morning, would the internet know what to do? Not whether lawyers could explain the last fight. Not whether a public statement could defend the old model for another week. Not whether the incumbent institution could still invoke the language of community, uniqueness and stability. The question is operational. Would the resource records continue to mean the same thing? Would RDAP and Whois keep answering? Would reverse-DNS delegations continue to resolve? Would RPKI and resource-certification services avoid sudden disruption? Would ASN records and transfer files remain usable? Would disputes be contained rather than allowed to poison routine service?

AFRINIC makes that rehearsal unavoidable because it combines a small legal vessel, a continental service footprint, scarce IPv4 value, court-supervised governance repair, contested elections, member dependency and live technical services. Official AFRINIC material presents a registry with a broad service stack: internet number resources, Whois, RDAP, reverse DNS, DNSSEC-related support, internet routing registry functions, resource certification and member services. Its policy material describes IPv4 exhaustion, allocation and assignment rules, intra-regional transfers, ASN registration, abuse-contact publication and reverse delegation. That is not merely a boardroom. It is a settlement layer used by networks that route traffic, sell connectivity, lease or transfer addresses, satisfy auditors, maintain customer contracts and answer security complaints.

The mistake is to treat a transition beyond discretionary RIR power as a synonym for institutional destruction. A registry can become too contested, too discretionary or too fragile to remain the sole gatekeeper without making its records worthless. Indeed, the entire economic case for a transition architecture is that the records are more valuable than the office that happens to maintain them at a particular moment. The registry ledger is a continuity asset. The gatekeeper is an institutional arrangement around it. If the arrangement fails, the ledger should not fail with it.

That distinction matters because number resources are unusual assets. They are not property in the ordinary real-estate sense, and official policy texts often resist ownership language. But they are also not casual administrative conveniences. A recognised IPv4 prefix can sit inside revenue forecasts, lending files, data-centre planning, customer allowlists, firewall rules, peering sessions, mail-delivery reputation, geolocation systems, lawful-access logs and renumbering budgets. An ASN can be part of a network's public identity. A reverse-DNS delegation can affect whether mail is delivered or filtered. RPKI records can influence whether routes are accepted by parties that validate origin authorization. The holder's reliance is economic even where the legal form remains contractual or policy-based.

The rehearsal therefore needs a different grammar from punishment. It should ask how to preserve uniqueness, continuity, reliance and evidentiary history if the incumbent registry cannot safely exercise broad discretion. It should not ask how to humiliate the incumbent, strip memory from staff, or improvise a heroic replacement in the middle of litigation. A serious transition starts from the principle that live networks are not bargaining chips. The network did not consent to become hostage to the health of any single membership company, receiver process, electoral dispute or policy priesthood.

AFRINIC's public record supplies the warning. Receivership was reported as a way to preserve operations and arrange governance repair. Later reporting described board elections, proxy-vote controversy, annulment, ICANN concern, a wind-up application, member-right disputes and later recovery claims. The lesson is that the registry layer can enter a prolonged state in which service continues, legal authority is contested, members disagree about who may act, and outsiders still rely on the data. That is the condition a transition architecture must survive.

The morning-after answer cannot be a speech about multistakeholder tradition. It has to be an engineering-grade migration plan, supported by legal mapping and economic incentives. It must say which data are authoritative, who can verify them, which services keep running, which decisions are frozen, which can proceed, how disputes are quarantined, how audit trails are preserved, and how a temporary authority gains only enough power to keep the system alive.

Transition is not punishment; it is the price of preserving reliance

The first rule of transition architecture is that continuity and sanction must be kept separate. A registry may deserve criticism, discipline, replacement of leadership, external review, receivership, restructuring or even eventual substitution. None of those remedies should be allowed to corrupt the registration history on which networks rely. If a bank fails, the payment records do not become expendable evidence of institutional failure. If a port authority is investigated, shipping manifests are not casually destroyed. If a land registry office is reorganised, title history is not treated as a trophy of the reformers. Number-resource governance needs the same discipline.

The economics are straightforward. The holder of a prefix or ASN relies on a chain of recognised entries, service dependencies and public signals. The value of that reliance is not confined to the immediate registry fee. It includes avoided renumbering, customer continuity, transaction certainty, borrowing capacity, procurement eligibility, abuse handling, routing reputation and future optionality. A transition that damages that reliance may punish the wrong party. The incumbent registry's insiders may be responsible for poor decisions, but the cost of a broken transition falls on operators, customers, creditors, counterparties and public services that had no realistic control over the registry's governance.

That is why a transition beyond discretionary RIR power must be narrow before it is bold. It should begin by defining which registry functions are essential, which are political or discretionary, and which can be temporarily suspended without hurting the network. Essential functions include preservation of the registration ledger, query services, reverse-DNS continuity, RPKI continuity where certificates are in use, ASN record maintenance, validated contact updates, transfer settlement where no live dispute exists, abuse-contact publication and support for urgent operational corrections. Political or discretionary functions include broad policy campaigns, contested reallocations, aggressive enforcement actions, institutional messaging and any decision whose main effect is to expand gatekeeper power while authority is under question.

Punishment tends to blur these categories. It imagines that disabling the institution will discipline the institution. But where the institution is also a service dependency, disabling it can discipline the users instead. The more valuable IPv4 becomes, the more this distinction matters. Scarce addresses have become economic infrastructure. They can be valued, lent against, leased, transferred, insured, reserved for customer growth or embedded in business continuity planning. If a transition makes those positions uncertain, it imposes a hidden tax on every holder in the region, including the small networks that have the least capacity to diversify away from registry disruption.

AFRINIC's policy environment makes the issue visible. The region is in IPv4 exhaustion Phase 2, with small allocation and assignment sizes, utilisation checks and constrained future supply. Its policy manual requires registration of allocations, assignments and other resource entries in the AFRINIC database, treats correct registration data as necessary for network operations, and ties reverse delegation to registered assignments or sub-allocations. The registration layer is not decorative; it rationed scarce supply, supports transfers, delegates reverse DNS and makes operational identity legible.

A transition architecture therefore needs a non-retaliation principle for records. No holder should lose operational recognition merely because the registry office has become disputed. No routine service should stop merely because litigation has become intense. No transfer that satisfies objective conditions should be converted into a political hostage. No service contractor or emergency trustee should be allowed to treat temporary authority as a mandate to redesign policy. The point is not to shield holders from legitimate review. It is to make sure legitimate review occurs in a channel designed for review, not through accidental service collapse.

This discipline also protects the transition itself. A replacement effort that begins by creating chaos will confirm every incumbent argument for keeping the old gatekeeper. A replacement effort that preserves service, publishes evidence, respects bounded disputes and narrows discretionary power can change the institutional bargain without asking the world to gamble on rupture. The credible alternative to RIR discretion is continuity architecture that makes the incumbent less irreplaceable because the ledger, services and holders are more resilient.

Four layers have to be separated before the old office can be made less indispensable

The current RIR model packages several functions inside one institutional wrapper. That packaging feels efficient in normal times and dangerous in contested times. The office keeps the data, runs the services, interprets policy, processes transfers, communicates with members, convenes policy forums, handles disputes, responds to courts, speaks to global coordination bodies and presents itself as the voice of regional continuity. Transition architecture begins by unbundling that package into four layers: data, service, authority and dispute.

The data layer is the ledger and its history. It includes prefixes, ASNs, holder identity, contact records, allocation and assignment status, reverse-DNS delegations, transfer histories, membership-standing signals relevant to service, audit logs, time stamps, signing keys where applicable, and the chain of changes that explains how a record reached its current state. The data layer must be complete, exportable, signed, auditable and reproducible. It is the part of the system that should be least vulnerable to personality, rhetoric and institutional mood.

The service layer is what users touch. It includes Whois and RDAP query services, reverse-DNS operations, RPKI and resource certification where relevant, registry portals, transfer processing, ticketing, member support, abuse-contact publication and ordinary record correction. These services can be operated by the incumbent, a contractor, a trustee, a temporary operator or a successor, provided the operator is constrained by the data layer and by narrow service rules. The service layer should be replaceable without changing the rights or reliance positions represented in the data.

The authority layer decides who may change records, under what rule, with what evidence, and with what review. It is the most dangerous layer because it converts administrative access into economic power. A party that can change the recognised holder of a prefix can affect transaction value. A party that can refuse or delay a transfer can alter liquidity. A party that can suspend service can change bargaining positions. A transition architecture must therefore keep authority thin, documented and rule-bound. Emergency authority should authorize only what is necessary for continuity, fraud prevention and uncontested maintenance.

The dispute layer handles claims, corrections, appeals, litigation, liability and contested entitlement. It must be isolated from routine service. A contested block should be marked, protected and handled through a defined process. It should not cause unrelated records to freeze. A dispute over one holder's status should not stop RDAP for the region. A court filing should not disable reverse-DNS service for networks that are not parties. A transfer challenge should not become a license for broad policy improvisation. Isolation is the difference between adjudication and contagion.

These four layers are not abstractions. They answer concrete failure modes. If a registry's board is absent, the data layer should remain readable and verifiable. If the office loses staff, the service layer should be operated under a substitution plan. If leadership is contested, the authority layer should shrink rather than expand. If litigation erupts, the dispute layer should preserve evidence and prevent disputed claims from spilling into ordinary service. If a wind-up application or receivership event appears, the legal handoff should know which layer is being protected and which layer is being reviewed.

Separating the layers also clarifies what a beyond-RIR architecture is not. It is not a single new global office with a different logo. That would merely move the chokepoint. It is not a romantic peer-to-peer fantasy in which everyone declares their own address history and hopes the market sorts it out. Uniqueness and reliance still require common facts. Nor is it a coup by large holders. A credible design must protect small networks, public-sector users and late entrants, not only the parties wealthy enough to litigate.

The better model is thin coordination around verifiable facts. The common layer should contain only the invariants needed for uniqueness, record continuity, security and compatibility. Future policy preferences, commercial arrangements and regional advice should sit outside that common layer unless they are truly necessary to preserve those invariants. The four-layer separation is the institutional version of that technical principle. It keeps the facts portable, the services substitutable, the authority narrow and the disputes contained.

Escrowed ledger data is economic insurance, not a backup folder

Every serious transition design starts with escrowed registry data. Yet the word escrow understates the point if it is understood as a stale backup kept for disaster recovery. For number resources, escrowed ledger data is economic insurance. It reduces the monopoly value of the incumbent office by ensuring that the facts needed for continuity can be verified outside the office before a crisis. It also reduces the panic value of rumors, because members, courts, emergency operators and coordination bodies can distinguish an institutional fight from a data failure.

The minimum data set must be more than a current snapshot. A current snapshot says who appears to hold what today. A transition requires history. It needs allocation and assignment provenance, transfer records, resource-status changes, reverse-DNS delegation state, ASN registration records, public contact entries, abuse-contact references, RPKI-related state where relevant, ticket-derived audit trails for material changes, payment-standing indicators where policy or contract makes them operationally relevant, and flags for active disputes. Without history, a substitute operator can answer queries but cannot explain why the answer is reliable. Without dispute flags, it may either process too much or freeze too much. Without signing and time stamps, every snapshot becomes a matter of trust.

Escrow also needs cryptographic verification. A regular export should be hashed, signed and witnessed by parties whose incentives are not identical. The witness set need not become a new ruler. It can be a narrow assurance mechanism: auditors, courts, emergency trustees, member representatives, technical verifiers or other bounded roles. The aim is to make tampering expensive and detectable. If the registry office later claims that a controversial record changed, the question should not be whose press release sounds more authoritative. The question should be which signed history proves the change, which rule authorized it and which review channel can examine it.

Privacy boundaries matter. Registry data contains contact details, operational notes, corporate documents and support history that may be sensitive. Escrow cannot mean dumping private member files into public view. It must separate public records, member-confidential material, security-sensitive records and litigation-protected evidence. The public should be able to verify enough to know that uniqueness and service continuity are protected. Members should be able to verify their own holdings and material histories. Courts and duly authorized reviewers should be able to inspect deeper records under controlled conditions. A transition architecture that ignores privacy will be resisted for good reasons.

Member access is the overlooked insurance feature. A resource holder should be able to obtain a portable, signed statement of its recognised resources, status, relevant service delegations and material change history. That statement should not replace the registry ledger, but it should give the holder evidence if the registry fails, disputes its status or refuses ordinary service. In capital markets, lenders ask for documents because reliance needs evidence. In address markets, holders also need evidence. A member that can prove its position is less captive to a failing office.

Court usability is equally important. AFRINIC's experience shows that courts may become the venue for preserving operations, arranging elections, testing member rights or hearing wind-up claims. Judges should not be forced to reconstruct the registry from advocacy narratives. They need structured data, verified snapshots, clear service maps and dispute schedules. A court order can protect continuity only if the court can see what continuity consists of. Escrowed data turns the ledger from a mysterious technical artefact into usable evidence.

Finally, escrow changes incentives before it is ever used. Incumbent registries resist transition partly because they know their control over data makes substitution dangerous. Peer institutions fear precedent because they worry that one substitution will make every registry less politically secure. Governments may hesitate because they cannot see a path between deference and national takeover. Members may remain passive because exit looks impossible. Verified escrow lowers the stakes of imagination. It shows that the network can survive institutional change because the facts are no longer trapped inside the institution.

Service substitution should keep the lights on without creating a new throne

Once data are verifiable, service substitution becomes possible. That does not mean an emergency operator should acquire the incumbent registry's full discretion. The service substitute should be a narrow utility. Its job is to keep essential functions running while authority is repaired, relocated or rebuilt. It answers queries, maintains delegations, processes uncontested updates, preserves RPKI and certification continuity where applicable, supports urgent member requests, implements court or trustee instructions that satisfy defined standards, and logs everything. It does not rewrite regional policy, settle political arguments or convert temporary access into permanent institutional power.

The analogy is closer to an emergency payment processor than to a new central bank. A processor can keep payments moving under rules. It should not decide monetary policy. A temporary registry operator can keep RDAP, Whois, reverse DNS, ASN records, RPKI continuity and transfer support alive under narrow conditions. It should not decide the future constitution of number-resource governance. The more constrained the service substitute is, the more acceptable it becomes to members, courts, governments and technical counterparties.

AFRINIC's service map shows why substitution cannot be improvised. Reverse-DNS policy ties delegations to registered assignments or sub-allocations. ASN records require public registration and contact maintenance. Transfer policy requires a recognised source holder, a recipient that justifies need, membership conditions and absence of live dispute over the relevant resources. Exhaustion rules require ticket handling, completeness checks, utilisation tests and scarce-pool management. RPKI-related services can carry direct operational implications for networks that rely on route-origin validation. These tasks require tested systems, operational staff, access controls, key management, change windows, member communications and rollback procedures.

Emergency service substitution therefore has to be rehearsed before the emergency. The playbook should identify which systems can be mirrored, which keys require custody planning, which interfaces members need, which service-level targets apply, which updates are permitted, which updates must pause, which disputes create holds, and which records trigger mandatory review. It should also define how members are told what has changed. Silence is dangerous because it creates rumor markets. Overbroad statements are dangerous because they imply powers the substitute does not hold. The message should be boring: records remain recognised, services continue, contested changes are isolated, material actions are logged and the substitute lacks broad policy authority.

Who could perform this role? Several models are possible. A technical contractor could run systems under trustee oversight. A court-appointed administrator could contract operational work while retaining legal custody. A neutral service company could provide query, DNS and certificate operations under a strict change-control schedule. A successor registry could assume service without inheriting every unresolved dispute. A member-protection trustee could hold data escrow and authorize routine maintenance. The choice is less important than the constraint. The substitute must be powerful enough to prevent service collapse and too weak to become a new discretionary gatekeeper.

The hardest design problem is RPKI and related security state. A registry's certification services are valuable because they connect resource records to cryptographic assertions. But that value also makes sudden changes dangerous. A substitute service layer should preserve existing valid state, maintain expiration and renewal paths, support emergency key continuity and avoid discretionary revocation except under predefined conditions. If a security service becomes a weapon during transition, the cure becomes worse than the disease.

Service substitution is credible only if it is reversible. If the incumbent repairs itself, the service can return under verified conditions. If a successor is created, service can migrate again. If a holder ports to another recognised service arrangement, its evidence can move with it. Reversibility disciplines everyone. It tells incumbents that continuity does not depend on them forever. It tells substitutes that they are not sovereign. It tells holders that transition is not a trap.

Portability turns exit from a slogan into a governance constraint

Portability is often discussed as a right. In transition economics it is also a price signal. If a resource holder can move recognition and service to another competent arrangement when the incumbent registry fails objective conditions, the incumbent's discretion becomes less valuable. If the holder cannot move, the registry can be mediocre, fragile or politicised while members remain captive. Exit is the difference between accountability by structure and accountability by hope.

Portability cannot be unlimited in the casual sense. A holder should not be able to shop for a friendly recordkeeper while an unresolved entitlement dispute is pending. A debtor should not use portability to evade a lawful freeze. A fraudulent claimant should not port a prefix by waving a forged document at a busy contractor. A sanctioned or legally restrained party may raise issues that a transition architecture cannot ignore. But those limits are not arguments against portability. They are arguments for designing it carefully.

A workable portability test has several conditions. The holding must be verified through signed registry data and holder evidence. Fees or service obligations must be standing or capable of neutral escrow. Disputes must be absent, bounded or clearly marked so that uncontested parts can move while contested parts remain protected. Operational continuity must be preserved: RDAP, Whois, reverse DNS, RPKI, ASN records and contact publication should not break during the move. The receiving service must accept the narrow duties associated with the record without acquiring power to revisit the holder's entire history absent defined cause. The old service must lose the ability to hold the holder hostage once the portability conditions are met.

AFRINIC's scarcity environment sharpens the case. In Phase 2, available IPv4 is rationed in small blocks and additional requests require utilisation evidence. Transfers become more important because new supply is constrained. If the only registry able to recognise a regional transfer becomes too slow, too contested or too discretionary, liquidity is impaired. The result is not merely inconvenience. It changes balance-sheet value, merger timing, leasing supply, entry costs for small networks and the financing of network growth. Portability is therefore not a luxury for impatient holders. It is a way to prevent a failing service monopoly from imposing a regional liquidity discount.

Portability should be staged. The first stage is evidence portability: every holder can obtain signed proof of its recognised resources and material history. The second is service portability under emergency conditions: query, DNS and certification continuity can move temporarily if the registry fails service tests. The third is authority portability: routine updates and uncontested transfers can be processed by a successor or trustee under narrow rules. The final stage is institutional portability: the holder's relationship can move permanently if the old registry cannot satisfy continuity and accountability requirements. Each stage should be reversible where facts change.

That sequence makes portability less frightening and more credible. It is not a sudden jailbreak. It is a safety valve with defined triggers. It tells registries that good service and restraint are cheaper than lock-in. It tells holders that exit does not require chaos. It tells the technical community that uniqueness can survive mobility because the data layer, not the incumbent office, is the anchor.

Transfers need settlement rails rather than heroic discretion

Transfer processing is where registry discretion most visibly becomes market infrastructure. A transfer is not just an administrative update. It is a settlement event. A seller, buyer, lender, broker, lessor, auditor, tax adviser, data-centre planner and customer team may all rely on the registry's execution. In a scarce IPv4 market, a delayed or uncertain transfer changes value. A contested transfer can freeze capital. A transfer that is later questioned can contaminate routes, contracts and accounts. Transition architecture therefore needs transfer settlement rails that can survive a failing or contested registry.

AFRINIC's policy manual provides a useful starting point because it treats intra-regional IPv4 transfers as conditional. The source must be the recognised current rights holder and not involved in a dispute over the resources. The recipient must justify need, become or be an AFRINIC member, accept applicable policies and sign the registration services agreement. Transferred legacy resources lose legacy status. Whether one agrees with every rule is less important here than the settlement insight: transfer execution depends on source status, recipient qualification, dispute status, documentation and registry update.

In a transition setting those elements should be converted into objective rails. Source verification should be based on signed ledger history and holder authentication, not on a discretionary official's unexplained comfort. Recipient checks should be bounded to the rules that genuinely protect uniqueness, fraud resistance and continuity. Need-based review, where retained, should have evidence standards, timelines and appeal routes. Dispute checks should identify the specific resources under dispute rather than freeze unrelated holdings. Payment and fee issues should be escrowable where they do not concern fraud or entitlement. Every material step should be logged.

Settlement rails also need a closing-room structure. The registry or substitute should publish what is required before submission, what is checked after submission, when the record will change, what happens if a court order arrives mid-process, how rollback works if fraud is discovered, and how counterparties receive confirmation. A transfer market without predictable closing mechanics prices in the risk of registry discretion. That risk becomes a liquidity discount. In regions where address scarcity already burdens new entrants, an avoidable liquidity discount is a hidden tax on growth.

Disputes should not be used as magic words. If a source holder's status is genuinely disputed, a hold may be necessary. But the hold should be resource-specific, evidence-based, time-limited or periodically reviewed. A registry in institutional distress has incentives to expand the definition of dispute because dispute status justifies control. A transition architecture has to reverse that incentive. The party claiming dispute should carry an evidence burden. The service layer should maintain non-disputed services. The holder should have a path to correct errors. Courts should receive a structured dispute schedule rather than a fog of allegations.

Transfers also expose the relationship between portability and regional continuity. If a holder cannot complete a transfer because the registry has become dysfunctional, but the transfer conditions are otherwise satisfied, should a neutral substitute execute the update? The answer should be yes under a staged framework. A verified transfer should not wait indefinitely for institutional normalcy. But the substitute's authority should come from the settlement rails, not from a broad claim to govern the region. It should execute the valid transition, preserve the evidence and leave broader policy to the appropriate future forum.

Large holders and brokers will try to shape these rails to their advantage. They prefer speed, liquidity and minimal friction. Small networks need protection against fraud, sudden price pressure and being outbid for scarce resources. Governments care about national connectivity and lawful oversight. Incumbents care about retaining discretion. The design should not pretend these incentives disappear. It should make them less dangerous by shifting transfer execution from personality to rule, from hidden delay to timelines, and from office control to verifiable settlement.

The final point is auditability. Every transition transfer should be auditable by the holder, the recipient, a reviewer and, where necessary, a court. The audit trail should show the record before transfer, the authority for the change, the evidence received, the dispute check, the fee standing, the service changes, the time of update and any certification or reverse-DNS consequences. If the new architecture cannot prove why a transfer happened, it will not be trusted. If it can prove the transfer without asking outsiders to trust an office, it will have reduced the power of the gatekeeper.

Authority must be narrow enough that users do not have to worship it

The authority layer should be designed with suspicion, including suspicion of the reformers. A registry crisis often attracts parties who say they need broad powers to fix the mess. Some do. Most do not. The recordkeeping function requires authority to authenticate holders, update records, prevent duplication, correct errors, process valid transfers, maintain delegations and respond to lawful orders. It does not require a permanent political power to decide every future business model, regional preference or moral claim about address use.

The practical test is whether a decision preserves a global invariant or merely expresses institutional preference. Uniqueness is a global invariant. A prefix cannot be validly assigned to two unrelated holders in the same compatibility set. Basic authenticity is a security invariant. A forged request should not update a record. Continuity of query and delegation services is a reliance invariant. The network should not lose ordinary services because governance is in dispute. By contrast, many choices around commercial use, leasing, customer geography, business structure, deployment timing or policy aspiration are not invariants in the same sense. They may matter to a region, but they should not be smuggled into the core authority layer unless they are truly necessary to keep the system coherent.

This distinction responds to a recurring failure in registry governance: a thin technical role expands into broad social control because the same office holds the database, policy vocabulary and service switch. The answer is not to deny that policy questions exist. It is to prevent policy preference from becoming unreviewable record control. If a region wants to debate address-use norms, it can do so through advisory, contractual or legislative channels. The emergency authority maintaining the ledger should not be allowed to weaponize routine service to win those debates.

Narrow authority should have defined inputs and outputs. Inputs include signed holder requests, authenticated contact changes, transfer packages, court orders, fraud reports, payment status where relevant, operational incident reports and verified dispute notices. Outputs include record updates, holds, service delegations, certification renewals, transfer confirmations, public status messages and audit logs. For each output, the rule should say who can authorize it, what evidence is required, what notice is given, how quickly it occurs, what review is available and what happens if the decision is wrong.

The review path should not become the main event. A system that relies on appeals for every ordinary decision has already made discretion too large. The better design is to make most decisions deterministic or ministerial, leaving review for exceptional cases. If a holder has signed evidence, standing fees and no active dispute, a contact update should not require institutional philosophy. If a reverse-DNS delegation satisfies technical tests and rests on registered resources, it should not be a political favor. If a transfer package meets the settlement rails, execution should not depend on whether the incumbent likes the market consequences.

Authority also needs blast-radius limits. During transition, no single official should be able to make high-consequence changes without dual control, logging and delayed effectiveness where delay is safe. Emergency actions should be possible for security incidents, fraud prevention or legal compliance, but emergency actions should expire into review rather than become precedent. Staff, trustees and contractors should have role-based access. Keys should be controlled through documented custody. Material changes should be witnessed. These controls sound mundane because they are. Boring controls are how infrastructure escapes charismatic governance.

A beyond-RIR architecture should therefore be judged not by whether it has no authority, but by whether its authority is small enough to be understood, audited and replaced. Users should not need to believe in the virtue of the office. They should be able to inspect the rule, verify the evidence and predict the outcome. That is the economic difference between a ledger and a gatekeeper. A ledger reduces uncertainty because it is boring. A gatekeeper increases uncertainty because every interaction becomes a negotiation with power.

Disputes should be quarantined so they do not become a regional outage

No transition architecture can eliminate disputes. Scarce resources create incentives to contest history, challenge signers, attack transfers, question membership status, allege fraud, invoke court orders and argue over policy. The design goal is not a dispute-free registry. It is dispute isolation. The system should be able to say that one prefix, one transfer, one holder status or one election document is contested without turning the entire regional service layer into collateral.

AFRINIC's recent history shows why this matters. Public reporting has described receivership, contested election processes, alleged proxy irregularities, ICANN interventions, a wind-up application, member-right disputes under Mauritian company law and arguments over whether numbering resources are assets of the registry. Each controversy has legal and institutional significance. But the internet still needs query services, reverse-DNS operations, ASN record stability and holder support while those controversies move through their channels. A registry that cannot separate dispute from service turns every legal fight into operational leverage.

The quarantine model begins with classification. Some disputes concern entitlement to a resource. Some concern who may speak for a holder. Some concern whether a transfer package is valid. Some concern the registry's corporate governance. Some concern policy legitimacy. Some concern invoices or contractual standing. Some concern alleged fraud or forged authority. Treating all of them as equal is a recipe for over-freezing. A dispute over board election procedure should not automatically impair an unrelated holder's reverse-DNS delegation. A disputed power of attorney should not become a general argument against all member representation. A wind-up proceeding should trigger service-continuity planning, not a presumption that every record is suspect.

Quarantine also requires resource-specific marking. If a prefix is subject to a credible claim, mark that prefix and freeze only the changes that could prejudice the claim. Continue routine public query service. Continue unrelated contact updates where safe. Continue reverse-DNS service unless the dispute specifically concerns delegation control. Maintain certification state unless a predefined security or legal condition requires change. Keep fees separate from entitlement where possible. Publish enough status for counterparties to understand risk without disclosing protected evidence.

The dispute layer should have its own evidence rules. A party alleging fraud should present specific documents, dates, signers and affected resources. A party alleging lack of authority should identify the corporate authority defect. A party relying on a court order should provide the order, scope and service consequences. A party asking for emergency hold should identify the harm prevented by the hold. Unsupported suspicion should not be enough to freeze another network's operating position. But credible evidence should be enough to prevent irreversible changes while review occurs.

Appeals and litigation must be connected but not merged. A registry or substitute can provide internal correction and review for administrative errors. Courts can decide legal rights when their jurisdiction is engaged. The transition architecture should help both by preserving evidence and service. It should not pretend that internal appeal can replace law. Nor should it allow every court filing to suspend ordinary operations beyond the order's scope. The system must learn to obey lawful commands precisely, not theatrically.

Liability is part of quarantine. If the service layer follows a documented rule and preserves evidence, its exposure should be easier to assess. If it improvises, favors one faction or disables unrelated services, its exposure grows. Members also need clarity. A holder under dispute should know what is frozen, what continues, what evidence is needed, how long review will take and what remedies exist if the hold was wrong. Counterparties should know whether they can rely on the record for operations, transfer or credit. Uncertainty is expensive. Dispute quarantine is a way to price uncertainty only where it belongs.

The temptation in a crisis is to say that everything is connected. Politically, that may feel true. Institutionally, it is fatal. If everything is connected, every dispute justifies total control. A mature transition architecture does the opposite. It breaks the problem into bounded claims so the network can continue around them. That is not indifference to law. It is respect for the difference between adjudicating a claim and holding users hostage.

Legal handoff should be mapped before anyone asks a court to improvise it

Technical continuity cannot outrun legal form forever. AFRINIC is incorporated in Mauritius. Other registries sit in their own domestic legal systems. Contracts, bylaws, membership categories, insolvency rules, data-protection duties, employment obligations, bank accounts, leases, insurance, supplier contracts and court orders all shape what can happen in a crisis. A transition architecture that ignores those realities will fail when it most needs authority. The legal handoff must be mapped before failure, not invented in the corridor after an emergency hearing.

The first map is corporate. Who legally controls the registry entity? Who can instruct staff? Who can access bank accounts? Who can bind the entity to a service contract? Who can authorize a data export? Who can sign a transfer agreement? Who represents the registry in court? What happens if there is no board, a receiver, a provisional liquidator, a trustee or contested directors? The answers vary by jurisdiction, but the questions should not wait for crisis. In AFRINIC's case, reporting around receivership and board absence shows how quickly the corporate map can become the operational map.

The second map is contractual. Members may have registration service agreements, fee obligations, portal credentials, policy commitments and service expectations. Suppliers may provide hosting, security, DNS, email, software, audits, payment systems or office services. Staff contracts may control who can operate systems. Insurance policies may condition emergency actions. A substitute operator needs to know which contracts can be assigned, mirrored, suspended or replaced. It also needs to know which member obligations are essential for continuity and which can be deferred without risk.

The third map is data protection. Registry records include personal data, corporate contacts, technical contacts, abuse contacts, identity documents, support tickets and perhaps sensitive operational details. Cross-border escrow and service substitution require lawful bases, access controls, retention rules, breach procedures and member notice. Privacy is not an excuse for data captivity, but neither is transition an excuse for uncontrolled disclosure. The design should define public records, holder-access records, reviewer-access records and court-access records in advance.

The fourth map is court usability and public authority. If a court is asked to preserve service, appoint a receiver, approve a handoff or consider winding up the registry, it needs a continuity schedule covering essential services, data escrow, key custody, member communications, funding, dispute holds, transfer queues and legal constraints. Governments also need a defined role: receive notice, protect national critical services, support lawful evidence handling, respect global uniqueness and avoid unilateral duplicate records. The aim is to restore public responsibility without turning numbering into a geopolitical land grab.

The fifth map is successor legitimacy. If the incumbent cannot continue, who can receive the ledger and services? A trustee, contractor under court supervision, holder-elected association, federated service layer or successor regional body may each fit a different phase. Emergency service can move before constitutional legitimacy is rebuilt, provided authority is narrow. Permanent authority requires member protection, regional voice, external verification, conflict rules, funding discipline and safeguards against recreating the same gatekeeper in a new shell.

The legal handoff is not glamorous. It is also where many transition dreams die. A design that cannot answer who may lawfully export the data, operate the service, maintain keys, invoice members, process uncontested changes and obey court orders is not a transition architecture. It is a manifesto. AFRINIC's experience suggests that the world may not get months of calm reflection when the next registry failure arrives. The legal map needs to exist before the morning-after question is asked.

Regional voice can survive if custody is separated from politics

One of the weakest arguments against transition is that reducing registry discretion would erase regional voice. It would erase a particular form of voice: the form in which a private regional office combines data custody, service operation, policy convening and discretionary control. It need not erase regional expertise, representation or operational input. Indeed, separating custody from politics may make regional voice more credible because participants can speak without threatening the ledger.

Regional knowledge matters. African networks face particular constraints: varied capital costs, currency exposure, undersea-cable dependency, data-centre concentration, mobile growth, public-sector demand, IXPs at different stages of maturity, IPv6 transition burdens, language diversity, uneven regulatory capacity and a long tail of small operators. AFRINIC policy material on IPv4 soft landing, IXP reservations, reverse delegation and member processes reflects genuine regional operating questions. A beyond-RIR architecture should not pretend these questions vanish into a global spreadsheet.

The issue is where that regional knowledge sits. If it sits inside the authority layer as an unreviewable veto over holder continuity, it becomes dangerous. If it sits in advisory, policy, capacity-building and evidence channels, it remains valuable. A regional forum can recommend allocation priorities for remaining scarce supply. It can document local operational needs. It can advise governments. It can coordinate training. It can publish research on abuse contacts, DNS hygiene, RPKI deployment or IPv6 readiness. It can help small networks participate. None of that requires the forum to be the sole custodian of the ledger or the only path for verified holders to receive service.

This separation also protects small networks. Incumbent rhetoric often claims that transition serves only large commercial holders. That risk is real if transition is designed around pure market exit. But a custody-politics separation can do the opposite. It can guarantee small holders a signed evidence pack, low-cost continuity service, clear dispute rules, predictable reverse-DNS support, member representation and protection against being ignored during institutional crisis. Captivity is not protection. A small ISP trapped in a failing registry has less leverage than a large holder. A transition architecture should reduce that asymmetry.

Regional voice should therefore be preserved by narrowing custody, not by defending the old bundle. The region should be able to speak, advise, organize and contest. It should not have to hold networks hostage to be heard.

The incentives around transition are hostile by default

No transition architecture can rely on everyone behaving like public-spirited engineers. The incentives are too sharp. Incumbent registries resist transition because the data and service bundle is their strongest asset. If holders can verify records externally, port service, demand escrow, quarantine disputes and use emergency substitutes, the incumbent's aura of indispensability weakens. Even a well-run registry may fear that a safety valve will become a discipline mechanism. A troubled registry has stronger reasons to fear it.

Peer registries fear precedent. If one regional office can be substituted, escrowed or narrowed, the others may be asked why their own ledgers are not similarly portable. They may frame the issue as stability, but stability and self-preservation often look similar from inside a club. This does not mean peer assistance is useless. Technical support, shared experience and emergency cooperation can be valuable. It means the transition design cannot depend on peers voluntarily reducing their own future bargaining power.

Governments have mixed incentives. They bear public downside when communications continuity is threatened, but they may also see a registry crisis as an opportunity to gain control. Some will want lawful continuity. Some will want national leverage. Some will fear that a private foreign company has too much power over domestic networks. Some will prefer the old model because it keeps hard choices outside the ministry. A transition architecture must give governments a responsible role without inviting fragmentation. The best way to do that is to make continuity evidence-rich and globally compatible, so public authorities can protect domestic interests without inventing conflicting ledgers.

Large holders have mixed incentives too. They want certainty, transferability, portability and protection against arbitrary action. They may also seek advantage: faster exits, lighter review, bespoke treatment or influence over successor design. Their resources make them essential to building transition capacity and dangerous if unchecked. A credible architecture should welcome their evidence and funding where appropriate while preventing them from buying rule changes that small networks cannot obtain.

Small networks need predictability above all. They may distrust both the incumbent registry and the large commercial challengers. They may lack legal budgets, staff time, policy fluency or cross-border counsel. Their main question is whether service will continue and whether the rules will be understandable. If transition looks like a fight among elites, small networks will rationally prefer the devil they know. The design should therefore make small-holder protections visible: low-cost evidence packs, notice rights, simple correction procedures, strict limits on emergency fees, language support, help with reverse-DNS continuity and clear dispute isolation.

Creditors, suppliers, staff and courts add further complexity. An insolvent or near-insolvent registry has ordinary claims against it: salaries, vendors, legal costs, taxes and debt. Staff may also hold the operational knowledge needed to keep fragile systems alive. Yet the numbering records themselves should not be treated as a liquidation pot. Public reporting in 2026 described ICANN's argument that numbering resources administered through AFRINIC are not assets available for distribution in a winding-up. Whatever courts decide in any specific proceeding, the continuity architecture should assume that the ledger is a public-reliance system, not furniture in the office.

These incentives explain why transition cannot be left to good faith. It needs hard design: escrow, signatures, service substitution, portability triggers, legal maps, funding rules, dispute quarantine, audit trails and role limits. Institutions behave better when the architecture makes opportunism difficult. The point is not to find angels. It is to make the system less dependent on them.

A staged migration is more conservative than permanent discretionary captivity

Critics will call any beyond-RIR design radical. In one sense they are right. It changes the assumption that a regional registry office should be the permanent centre of data, service, authority and dispute handling. In another sense, staged transition is more conservative than the status quo. It seeks to preserve existing records, user reliance, service continuity and regional knowledge while reducing the chance that a single fragile office can break them. Permanent discretionary captivity is the more reckless model.

The first stage is transparency and evidence. Every registry should maintain complete, signed and externally verifiable snapshots of the ledger and material histories. Holders should be able to obtain signed evidence of their own resources and service state. Public data should be reproducible. Auditors should be able to test whether snapshots match operational services. Courts should be able to receive structured schedules. No authority changes hands in this stage. The main change is that the incumbent no longer monopolizes proof.

The second stage is continuity rehearsal. Essential services should have documented substitution plans, test environments, key-custody procedures, member-notice templates, emergency funding arrangements and change-control rules. The rehearsal should include RDAP and Whois continuity, reverse-DNS operations, RPKI and certification renewal where applicable, ASN records, transfer queues and support portals. The goal is not to embarrass the incumbent. The goal is to know whether the network can survive a weekend in which the office cannot act.

The third stage is dispute quarantine. Registries should classify and mark disputes at resource level, separate corporate-governance disputes from service disputes, publish non-sensitive status, preserve evidence and continue unrelated service. This stage may be implemented even inside the existing registry. It reduces harm before any substitution occurs. It also reveals whether the incumbent can accept limits on its own discretion.

The fourth stage is emergency service substitution. If objective service triggers are met, a temporary operator or trustee can run narrow functions from escrowed data. Triggers might include loss of service, inability to maintain essential systems, absence of lawful corporate authority, court order, proven data-integrity risk or failure to process uncontested urgent changes within defined time. The substitute runs services, not policy. It is paid, audited and removable.

The fifth stage is portability under bounded conditions. Holders with verified positions, standing fees and no unbounded disputes can move service recognition to an approved continuity arrangement. Contested resources can remain held; uncontested services can continue. If portability arrives only after the office is dead, it arrives too late.

The sixth stage is authority reconstruction. A successor regional body, federated model, trustee structure or thin coordination layer may take over narrow authority only after continuity is protected. The successor must prove that it can maintain the ledger without recreating discretionary captivity.

Staging matters because it lowers fear. Incumbents can see which powers are actually at risk. Members can see which services will continue. Courts can see which steps are reversible. Governments can see that global uniqueness is protected. Technical operators can test the systems before the fire. A staged migration is not a jump into the dark. It is the lighting of escape routes in a building everyone still has to use.

AFRINIC is the rehearsal because it combines scarcity, legal form and public reliance

AFRINIC should not be treated as an exotic exception. It is a rehearsal precisely because its difficulties expose features present throughout the RIR system. A regional registry is a private legal entity under domestic law, yet it provides services on which networks across many jurisdictions rely. It administers scarce resources whose economic importance has outgrown the old language of clerical allocation. It runs public query and delegation functions. It depends on member confidence, court recognition, technical competence and global acceptance. When any of those supports weakens, the system discovers how much it had assumed rather than designed.

Receivership supplied one lesson: legal systems can preserve operations, but only if they understand what must be preserved. Reporting in 2023 framed AFRINIC's receivership as a rule-of-law mechanism that could maintain services while leadership was repaired. That is the optimistic version of court involvement. It shows that domestic law is not automatically the enemy of internet governance. But it also shows that the registry community cannot simply declare itself outside ordinary legal reality. If the legal vessel fails, courts will be asked to act. Transition architecture should equip them rather than complain afterward that they do not understand the internet.

The election disputes supplied another lesson: corporate legitimacy can remain uncertain while services remain necessary. Whether one emphasizes allegations of proxy irregularities, ICANN concern, receiver discretion, member-right classifications or the eventual board recovery, the operational point is the same. Governance can be contested for months or years. During that time the ledger cannot wait for perfect legitimacy. The system needs a safe mode: narrow service, preserved data, frozen high-risk changes, processed low-risk changes, structured evidence and transparent member notice.

The IPv4 exhaustion setting supplies a third lesson. AFRINIC's own exhaustion page describes Phase 2 scarcity, small allocation and assignment ranges, utilisation requirements and request handling. Scarcity means delay has value. It means transfer certainty matters. It means old records become financial evidence. It means a registry office's ability to say yes, no, later or prove it again is economically consequential. Transition design cannot be limited to keeping a website online. It must preserve settlement confidence around scarce resources.

The member-right controversy supplies a fourth lesson. Public reporting in 2026 described debate over the relationship between AFRINIC resource members and registered members under Mauritian company law. That distinction may sound parochial, but it is central to transition architecture. Resource reliance and corporate voting rights are not the same thing. A holder may depend on registry service even if corporate law treats its governance role in a narrower way. Conversely, a corporate actor may have governance authority without being the right party to alter a particular resource record. Transition must separate service reliance from corporate formalities while respecting both.

The wind-up dispute supplies the final lesson. A registry can be a local company and still carry a global public function. Saying that does not make it sovereign. It means legal remedies should distinguish the corporate shell from the ledger's continuity function. If the company is restructured, replaced or wound up, the resource records should not be treated like office chairs. They are records of reliance in a global coordination system. The transition question is how to move that reliance lawfully, not how to pretend legal form does not matter.

AFRINIC's value as a rehearsal is therefore not that it proves one faction right. It is that it forces the design question into the open. What exactly must continue if the office cannot? Which powers are necessary, which are legacy habits, and which are dangerous? Who verifies the ledger? Who runs the services? Who may change records? Who hears disputes? Who protects small networks? Who informs courts? Who pays for the bridge? A system that cannot answer these questions is not stable. It is merely untested.

The practical test is whether the ledger can outlive the gatekeeper

The final test is deliberately simple. If AFRINIC, or any registry, failed tomorrow, could the ledger continue? That means more than a file dump. It means complete, signed, audited and usable records; holder-access evidence; history sufficient to explain current status; public query continuity; privacy controls; dispute flags; and a court-usable schedule of dependencies. If the answer is no, the region is relying on institutional luck.

Could users be served? That means RDAP and Whois responses, reverse-DNS maintenance, ASN record support, RPKI and certification continuity where relevant, transfer processing for uncontested cases, urgent contact corrections, abuse-contact publication, member support and clear notices. It also means service-level expectations, emergency funding and technical operators who can execute under pressure. If the answer is no, the registry is not a thin coordinator. It is a single point of failure.

Could disputes be quarantined? That means one contested prefix does not freeze a continent. One election dispute does not disable service. One court filing does not become a general policy veto. One alleged forged authority does not contaminate every holder. Quarantine requires classification, evidence standards, resource-specific holds, review paths, logs and disciplined communication. If the answer is no, the dispute layer has already captured the service layer.

Could authority be rebuilt without holding networks hostage? That means the emergency operator does not become a new ruler, the incumbent does not use service captivity to demand deference, large holders do not buy the successor, governments do not fragment the ledger, and small networks do not lose access because they lack lawyers. It means regional voice remains possible while custody is narrowed. It means portability exists before collapse. It means legal handoff is mapped, not wished into being.

This is the economics of transition architecture beyond RIRs. The argument is not that uniqueness no longer matters. It matters more than ever. The argument is not that registry services are trivial. They are valuable precisely because networks rely on them. The argument is not that discretion can disappear overnight. Some judgment will remain in fraud prevention, legal compliance and exceptional cases. The argument is that the present bundle gives too much institutional leverage to the office and too little independent resilience to the ledger, the services and the users.

AFRINIC shows both the danger and the path. The danger is a regional registry whose corporate life, election process, legal disputes and member conflicts can become entangled with critical records. The path is not reckless shutdown. It is staged continuity: escrowed ledger data, portable evidence, service substitution, narrow authority, dispute quarantine, legal handoff, member protection, public evidence and regional advice separated from custody. That is less dramatic than the language of reform or revolution. It is also more serious.

The internet's numbering layer was tolerated because it was supposed to be boring. Scarcity, asset value, geopolitical pressure and institutional crisis have made it interesting in the worst possible way. The cure is not to make a new priesthood more interesting still. The cure is to make the critical parts boring again: verifiable records, predictable services, bounded authority and disputes that do not spread.

If a registry can prove that the ledger will survive its own failure, it deserves more trust. If it cannot, no amount of rhetoric about community, history or recognition should be enough. The proper loyalty is not to the gatekeeper. It is to the continuity of the users who built real networks on top of the numbers the gatekeeper was only supposed to record.