Summary
- Registration accuracy is a core requirement of the Internet Numbers Registry System, but availability, ticket response and annual contact validation are not substitutes for a clock that runs from a credible error report to verified correction across every affected public surface.
- The relevant record is wider than one Whois line. Holder identity, authority, abuse contacts, RDAP responses, RPKI certificates and ROAs, reverse DNS delegations, referrals and dispute status can fail differently and can become consistent at different times.
- No common public denominator was found that permits a defensible global comparison of RIR correction latency. Any serious commitment must publish case counts, severity definitions, exclusions, age bands and percentiles without inventing a worldwide average.
- Number Resource Society can press for a public-dependency standard: rapid acknowledgement, risk-based containment, reasoned decisions, propagation checks, independent review and aggregate reporting that protects both holder evidence and reporter privacy.
The record can be available and still fail
At 02:13 UTC, an incident responder finds an address range serving a credential-theft campaign. The authoritative registration response names an organisation that says it relinquished the range months earlier. The abuse mailbox rejects mail. A second directory view points to a different contact. The reverse delegation still reflects an old operator. A route origin authorisation permits an autonomous system that the apparent holder does not recognise. Every service answers quickly.
For the responder, the decisive measure is not response time in milliseconds. It is how quickly a credible conflict is acknowledged, investigated, contained, decided and corrected. If a repair is accepted at the registry account layer but remains absent from RDAP, cached Whois, reverse DNS or RPKI publication, the public dependency has not yet recovered. If the reporter receives a courteous message but cannot learn whether the contested field was verified, the accountability gap remains.
The registry may face a genuinely difficult case. The supposed former holder may lack authority to speak. A corporate merger may have changed names without changing control. A legacy registration may not have a modern contract. The route origin may be deliberate even though the abuse contact is stale. A fraudster may be attempting to seize a record by filing a persuasive complaint. Accuracy cannot mean instant acceptance of every report.
That difficulty strengthens the case for a service commitment rather than weakening it. A good commitment does not promise that every complainant wins within a day. It promises defined treatment: acknowledgement, risk classification, preservation of evidence, interim safeguards where justified, a reasoned outcome, correction of confirmed defects, and an escalation route when delay itself causes harm.
Registration accuracy is a public function
RFC 7020 describes registration accuracy as a core requirement of the Internet Numbers Registry System. The registry must preserve uniqueness and provide accurate information about allocations for operational needs. This is not merely a private convenience exchanged between a fee-paying member and a service desk. Operators, incident responders, researchers, prospective transferees, courts, public authorities, vendors and ordinary network users all make decisions that depend on the answer.
The public does not acquire every right that a resource holder has. A stranger should not be able to rewrite an organisation record, view confidential evidence or force disclosure of personal data. Nor does a registration entry prove beneficial ownership, physical location, lawful conduct or control of every routed address. Yet the utility of the registry depends on people outside the contractual relationship being able to rely on bounded propositions: which registry is authoritative, which organisation is registered, which contacts are designated, which resource range is covered, and when the public record last changed.
This creates a public-dependency institution. Its duties cannot be judged solely by member satisfaction because many people exposed to bad records are not members. The victim whose abuse report bounces, the small network inheriting stale reverse delegations, or the researcher measuring resource concentration may never open a paid account. Their dependence is nevertheless foreseeable and central to why directory data is public.
The phrase “customer service” is therefore too narrow. A pleasant exchange can coexist with a wrong public answer. A service-level commitment for data accuracy must attach to the integrity of the public function, not only to the speed of correspondence with the person who pays the invoice.
Uptime is the wrong denominator
Traditional technical reporting asks whether a service was reachable. It can measure DNS availability, HTTP success, query latency, maintenance windows and recovery after an outage. These measures matter. An accurate record that cannot be retrieved is not useful.
But availability and correctness are independent dimensions. A directory that returns the same obsolete contact from redundant sites can achieve excellent uptime. A highly available RPKI repository can distribute a mistaken authorisation efficiently. A reverse DNS service can answer consistently from a delegation that should have changed. Reliability of delivery says nothing by itself about validity of content.
The distinction is visible at the IANA boundary. The SLA for IANA Numbering Services creates an explicit service relationship between ICANN and the five RIRs. IANA publishes number-resource performance reports with defined expectations for such matters as request acknowledgement, implementation accuracy, reverse-DNS API acknowledgement, propagation and availability. The exact monthly denominator can be small or even zero, and the report says so.
That example does not establish what every RIR must promise to every public user. IANA handles a narrower boundary and a different set of counterparties. It does prove that number-resource administration can name a clock, define an expected result, publish the denominator and distinguish “no request occurred” from perfect performance. The discipline is portable even when the thresholds are not.
A support reply is not a correction
A registry can answer a ticket within one or two business days without resolving the underlying defect. The reply might request documents, redirect the reporter, state that the holder must update the field, or explain that no action can be disclosed. Each may be appropriate. None establishes the correction latency.
The distinction requires at least five clocks. The first runs from report receipt to acknowledgement. The second runs to triage, when the registry classifies severity and identifies affected services. The third runs to a preliminary protection decision, such as flagging a contact as unvalidated or preventing an unauthorised account change. The fourth runs to an authoritative determination. The fifth runs from that determination until all in-scope public surfaces show the corrected state and independent checks confirm it.
One case can stop and restart clocks for legitimate reasons. The reporter may not confirm an email. The holder may seek more time. A court may restrict action. Evidence may conflict. A transfer may be pending in another region. A published commitment should name these pause conditions and report them separately. Otherwise every difficult case can disappear into “awaiting information,” making the headline number meaningless.
Closing a ticket also needs a definition. Closure because a complainant stopped replying is not the same as rejection after evidence review, correction by the holder, correction by the registry, or a finding that the public entry was accurate. Aggregate reporting should preserve those outcomes. A single “resolved” count rewards administrative closure rather than restored data quality.
The entity of correction is a dependency map
Number-resource information appears in related but distinct systems. An allocation or assignment record names a resource and a registered holder. Contact records identify administrative, technical, routing, DNS or abuse roles. Whois presents text assembled according to a local data model. RDAP presents structured responses, links, notices, status values and dated events. Internet Routing Registry entries describe routing intent. RPKI certificates and signed entities support origin validation. Reverse DNS delegates authority beneath in-addr.arpa or ip6.arpa. IANA bootstrap data directs an RDAP client to an authoritative service.
A defect can belong to one surface or several. A dead abuse mailbox does not prove that the registered holder is wrong. An old organisation name may be a harmless trading-name issue or evidence of an unrecorded succession. A stale route object can coexist with a correct ROA. A correct ROA can authorise a route that the holder does not currently announce. A reverse delegation can be technically healthy while naming servers controlled by a former operator. An RDAP event date can accurately describe when the entry changed while the substantive value remains disputed.
The first duty in correction is therefore scoping. Which proposition is contested? Which institution has authority to change it? Which dependent views are generated from the same state? Which require separate action by the holder, another RIR, IANA, a DNS operator or a certificate holder? Without that map, a registry can report that “the record was updated” while the public user continues to receive the harmful answer elsewhere.
A serious commitment measures end-to-end recovery for each in-scope class. It does not hold one RIR liable for a cache it cannot control, but it does require the RIR to publish its own change, send required delegations or notices, and state the remaining dependency clearly.
Whois made local variation easy to hide
RFC 3912 is a short specification for a simple query-and-response service. It does not provide the structured authentication, authorisation, internationalisation or privacy capabilities expected of a modern registration service. RIRs built valuable local conventions around it, but a public user often has to know which server, flags and field meanings apply.
This local character affects correction. One service may expose a visible validation marker. Another may remove or redact a field. Another may preserve an old entry while placing a remark elsewhere. Referral behaviour can lead the user from an RIR record to a downstream operator whose data quality rules differ. Text scraping can miss a comment that a human would recognise as decisive.
Whois also encourages a false idea of one record. The displayed answer may combine registration state, contact entities and routing information maintained under different permissions. Correcting the organisation does not automatically repair every referenced role. Correcting a role may affect many resources. A quick edit can produce unintended consequences if the dependency is not understood.
The appropriate response is not to condemn Whois users. It remains widely used and can be operationally efficient. The governance duty is to state which public views are authoritative for which propositions, how correction status appears, and whether older interfaces receive the same repair. A migration to RDAP that leaves a contradictory Whois answer available without explanation transfers uncertainty rather than resolving it.
RDAP structures the answer but does not warrant it
RDAP improves machine readability. RFC 9083 defines JSON responses for entities, networks, autonomous systems and domains, together with links, notices, remarks, status and event information. RFC 9224 defines how clients use IANA bootstrap registries to find the authoritative RDAP service for a scope.
These are major improvements for accountability. A client can distinguish an event date from a free-text comment, follow a link, identify the service that claims authority and preserve the response for later comparison. An operator can test whether a corrected value appears consistently. A registry can add notices that explain conditions or restrictions.
The protocol does not decide whether an organisation name is true, whether a contact will answer, whether a transfer was properly approved, or how quickly a confirmed defect must be repaired. Structured wrong data remains wrong. A precise timestamp can reveal staleness but cannot explain why it persists. An authoritative endpoint establishes where the answer comes from, not whether the answer deserves confidence.
This boundary should appear in public commitments. Availability tests ask whether RDAP responds correctly at the protocol level. Data tests ask whether required fields agree with authoritative evidence and policy. Correction tests ask how long a confirmed discrepancy remains. Conflating the three allows a healthy endpoint to conceal an unhealthy record.
Contact validation measures a cycle, not correction latency
RIRs do publish meaningful rules for contact validation. ARIN’s Point of Contact guidance describes annual validation for specified public contacts, gives them up to 60 days to affirm that information is complete and correct, and marks unresponsive records invalid after that period. APNIC’s Internet Number Resource Policies require periodic validation of Incident Response Team contacts every six months, specify response periods and describe consequences for failed validation. RIPE policy on regular abuse-c validation established at least annual checking and follow-up for invalid abuse contacts.
These are governance achievements. They make a duty visible, impose recurring attention and create consequences for silence. They also show why a universal headline can mislead. The ARIN figure concerns the time allowed to validate certain POCs, not the time to correct every confirmed Whois inaccuracy. The APNIC periods concern IRT contact checks, not all holder, routing, RPKI or reverse-DNS data. RIPE’s policy establishes annual validation and follow-up but does not convert every outside report into one guaranteed correction deadline.
A validation cycle answers, “How often will this class be challenged proactively?” A correction SLA answers, “What happens after a specific credible defect is reported or detected?” Both are necessary. A mailbox can become invalid the day after annual validation. Waiting for the next cycle would satisfy the cadence and fail the user.
A valid mailbox is not a responsive institution
Abuse-contact quality illustrates the limits of binary validation. A mailbox can accept a verification message yet ignore substantive reports. It can send an automated receipt without any person reviewing the allegation. It can be monitored in one language or time zone only. It can belong to a role that lacks authority to mitigate abuse. Conversely, a mailbox can reject a poorly formed test while a network maintains an effective incident channel elsewhere.
RIPE NCC’s public guidance on finding abuse contacts draws an important line: its role is to keep the listed contact valid and current, while the network operator remains responsible for handling an abuse report. The registry cannot promise that every operator will resolve every complaint.
An accuracy commitment should preserve that line. It can require that the designated address exists, is under the holder’s control, is periodically validated, and is replaced within a defined period after confirmed failure. It can publish how many invalid-contact reports were received, how many were confirmed and how old unresolved cases are. It should not claim that mailbox validation proves effective abuse remediation.
The public user needs a reason code. “Contact validated” should mean a defined test passed at a stated time. “No response to your allegation” is a different condition. This vocabulary prevents registries from being blamed for operator conduct while preventing operators from hiding behind a technically deliverable but functionally abandoned address.
Holder identity errors deserve severity classes
Not every wrong field creates equal harm. A misspelled street suffix is different from registering the wrong legal entity. A stale phone number is different from an unauthorised change of administrative control. A harmless abbreviation is different from a former company still appearing as holder after a completed transfer. Treating all defects alike either overwhelms urgent review or leaves serious cases in an ordinary queue.
A workable severity model can begin with effect. Critical cases create a plausible risk of duplicate registration, unauthorised control, loss of routing authorisation, wrongful transfer, or inability to restore service. High-severity cases materially misidentify the holder or disable required operational contact. Medium cases impair reliable contact or create significant inconsistency across authoritative views. Lower-severity cases concern descriptive fields with limited operational effect.
Classification cannot be fully automatic. A legal-name change may look cosmetic but matter greatly during insolvency. A route authorisation dispute may reflect an intentional customer arrangement. The initial severity can change as evidence arrives. The commitment should allow reclassification while preserving the original clock and explaining why priority changed.
Public reporting can aggregate by class without exposing the holder’s documents. The goal is not a league table of scandal. It is to show whether the institution recognises that some errors threaten continuity and whether those cases age differently from ordinary updates.
RPKI turns data quality into routing consequence
RPKI raises the stakes because signed entities can influence routing policy. RFC 6480 describes a certificate hierarchy aligned with number-resource allocation and a repository from which relying parties pull current material. A resource certificate binds a key to enumerated resources; a ROA authorises an origin AS for specified prefixes. Network operators then decide how to use validation results.
An erroneous or obsolete authorisation can therefore affect reachability when networks reject or de-preference routes that conflict with it. The exact effect depends on local routing policy, cache freshness and the existence of alternative routes. A mistaken ROA does not guarantee an outage, and an outage does not prove a mistaken ROA. Yet the correction clock matters more than a cosmetic directory edit because relying parties may repeatedly fetch the signed state.
RFC 8211 analyses adverse actions by certification authorities or repository managers, including deletion, revocation and alteration scenarios. It notes that mistakes, attacks and compelled actions may be hard to distinguish except partly through remediation time. That observation is a governance warning: restoration speed is evidence about institutional health even when cause remains uncertain.
A RPKI accuracy commitment should separate holder action, registry action, repository publication and relying-party observation. It should state when a request was authenticated, when the corrected entity became available, what manifest and revocation state changed, and when independent validators observed the new result. It should not promise that every router worldwide adopted the state at one moment.
ROA metadata needs bounded claims
The public often describes a ROA as proof that a route is legitimate. That language is too strong. A valid ROA supports a bounded statement: a certificate holder authorised an origin AS for a prefix within specified length conditions, and the signed entity validates under the relying party’s chosen trust anchors at the time of validation. It does not prove that the holder still wants the route announced, that the origin controls every downstream path, or that the traffic is benign.
Correction accountability must match this proposition. A holder who detects the wrong origin needs a secure way to replace or withdraw the entity. A reporter who is not the holder may need to alert the registry, but should not be able to revoke it merely by assertion. If holder credentials are compromised, ordinary authentication may be part of the problem, requiring a protected recovery route.
The registry should publish category-level latency without exposing security-sensitive recovery details. Useful measures include time to acknowledge an authenticated emergency, time to place a protective hold where policy permits, time to publish the corrected signed state, and time to notify the holder of completion. Cases delayed by ownership disputes should remain visible in age bands rather than disappearing from the statistic.
This is where service design and public reporting meet. The cryptographic entity makes alteration detectable, but it does not guarantee timely, fair or accurate decisions by the institution authorised to issue and revoke it.
Reverse DNS crosses several authorities
Reverse DNS for address space follows delegated authority beneath in-addr.arpa and ip6.arpa. RFC 3172 describes management of the arpa domain and the relationship between address delegation and reverse zones. At the top boundary, IANA receives changes from RIRs for their number-resource allocations and measures acknowledgement, propagation and availability. Below that boundary, RIRs and resource holders may manage further delegations.
A stale reverse delegation can survive even when the registration name is corrected. The holder may need to submit new name servers. The RIR may need to verify authority. Parent-zone publication and DNS propagation then follow. DNSSEC adds key and delegation dependencies. A recursive resolver may cache the prior state until its time to live expires.
No one clock fairly describes every step, but that is not a reason to publish none. The RIR can measure receipt, authority verification, change acceptance and parent publication. It can verify the new delegation from multiple vantage points. It can state the expected cache horizon without pretending to control every resolver. If IANA action is required, the RIR can identify when the request crossed that boundary and use the separate IANA measure.
The public user should be able to distinguish “registration corrected; reverse change awaits holder nameservers” from “reverse change accepted; propagation in progress.” Status specificity is more valuable than a generic assurance that staff are working on it.
Disputes need a clock even when truth is contested
Some inaccuracies are not clerical. Two organisations may claim succession to the same resource. A former director may retain account access. A liquidator, purchaser and legacy registrant may present conflicting documents. One jurisdiction may recognise an order that another party contests. The registry must avoid deciding complex property or corporate law through an informal email exchange.
The 2025 draft RIR Governance Document Version 2 is relevant but must be read as a draft, not a completed universal regime. It defines RIR services around accurate holder information, calls for stable, reliable, secure, accurate and accountable service, and proposes fair, effective adjudication for member rights. It also emphasises timely action and independent review in specified settings.
Public reporters may not qualify for member adjudication. That gap matters because the person harmed by a wrong contact or registration may be outside the registry’s membership. A public correction route need not grant strangers standing to litigate allocation rights. It should allow them to submit evidence, receive confirmation that the claim was classified, and learn a bounded outcome: corrected, not substantiated, referred to the holder, outside authority, or subject to a formal dispute.
The dispute clock can measure milestones rather than guarantee final judgment. Initial preservation, notice to affected parties, appointment of an independent reviewer, exchange of evidence, interim decision and final disposition can each have targets. Unresolved cases should be reported by age and status. Complexity explains a longer clock; it should not erase the clock.
“Timely” needs a published meaning
Many institutional documents use words such as expeditious, reasonable, current or timely. These words preserve necessary discretion, but they do not let an outside observer test performance. A holder may consider three weeks reasonable for a historical address note and intolerable for a route-authorisation error. Both reactions can be rational.
The answer is not one universal number. It is a matrix of severity, service and milestone. A critical authenticated control error might require acknowledgement at all hours and a rapid protection decision. A contested corporate succession may require a business-day acknowledgement, an evidence schedule and periodic status updates. A routine contact correction may have a longer completion target. A reverse-DNS change may separate approval from observable propagation.
Targets should include percentiles rather than only averages. An average can improve while a small set of damaging cases ages for months. The median shows the ordinary case; the 90th or 95th percentile shows the tail; the oldest open case reveals whether some matters have become stranded. Where the case count is too small for a stable percentile, the report should publish counts and age bands instead of decorative precision.
The registry should publish both target and attainment. A target without performance is aspiration. Performance without a predeclared target rewards whichever outcome happened. Together they create a basis for board oversight and community correction.
The denominator must include inconvenient cases
The easiest way to produce a high compliance rate is to narrow the denominator after the fact. Exclude reports made by non-members, reports awaiting holder action, legacy resources, suspected fraud, privacy-sensitive cases, cross-RIR matters and disputes, and almost every difficult error can vanish.
A credible report begins with all received submissions, then shows disposition. Duplicates can be counted separately and deduplicated analytically. Spam can be identified. Unconfirmed reporter addresses can be recorded. Matters outside authority can be referred. Claims lacking evidence can be rejected. None needs to inflate the confirmed-error rate, but each should remain visible enough to explain how the intake became the measured correction population.
For confirmed defects, exclusions should be narrow and named. If a clock pauses while a court order prevents action, report the paused duration. If a holder fails to respond, show the age and enforcement stage. If another RIR must act, separate the local handling time from the external wait. If the record cannot be corrected because policy offers no mechanism, classify it as a governance gap rather than an on-time closure.
The absence of a common public denominator is the central uncertainty in comparing RIRs. Public pages reveal valuable pieces, but they use different fields, validation cycles, ticket classes and legal terms. No defensible worldwide correction average follows from those materials. Any number pretending otherwise would measure the collector’s assumptions more than registry performance.
Independent checks should confirm propagation
A registry should not be the sole observer of whether its correction reached users. Independent checks can query RDAP and Whois from several networks, validate RPKI repositories with more than one conforming validator, test authoritative reverse DNS, and compare IANA bootstrap referrals. The checks need not disclose protected evidence; they test the public result.
Observation should preserve time and vantage point. A single successful query does not prove global consistency, but repeated checks can identify whether an old node, cache or referral continues serving stale state. If a dependent service is outside the registry’s control, the evidence supports precise escalation rather than blame.
The registry can publish a completion receipt to the holder and, where appropriate, the reporter. The receipt should name the corrected proposition, affected public services, publication times and remaining caveats. It should avoid private documents and security details. A signed receipt would help the holder show downstream users that an authoritative change occurred at a particular time.
Independent auditors can test samples from report receipt through public observation. They should include missed targets and disputed closures, not only easy successful cases. The aim is to learn whether the measurement describes reality, not merely whether a dashboard can be reproduced from the registry’s own classifications.
Transparency must not expose complainants or recovery paths
Correction cases can contain identity documents, contracts, merger records, court filings, account-security facts and allegations of fraud or abuse. Publishing raw cases would deter reporting and create new attack opportunities. Querying behaviour can reveal investigations. A fraudulent claimant could study detailed rejection reasons to improve the next attempt.
Aggregate accountability therefore needs privacy design. Public reports can show case counts, categories, age bands, attainment, reclassification and appeal outcomes without naming parties. Rare categories may need to be combined or delayed to prevent identification. Security-sensitive methods can be reviewed by an independent assessor under confidentiality while the public receives findings about effectiveness.
Reasoned notice to the affected parties can be fuller than the public notice. The holder may need to know which evidence failed and how to appeal. A reporter may receive confirmation that a contact was corrected without receiving the holder’s private records. The wider public may see only that a contested status was removed after review.
Opacity is not the only way to protect security. Layered disclosure can preserve private evidence while exposing whether the institution met its own clock, applied the right authority and repaired the public state.
Accountability needs consequences, not credits
Commercial cloud SLAs often offer fee credits after downtime. That remedy is poorly matched to public registry-data harm. Many dependent users pay no fee, and a small credit to a holder does not compensate an incident responder misdirected by an old abuse contact. Accuracy failures can affect parties who have no contract with the RIR.
The stronger remedies are institutional. Repeated missed targets should trigger a published improvement plan, governing-body review, independent sampling and follow-up. A severe case should receive named executive accountability and, where policy allows, independent adjudication. Persistent systemic failure should affect audit conclusions and broader recognition discussions, not be absorbed as routine support variance.
Resource holders also need practical remedies: restoration of access, urgent certificate repair, corrected publication, notice to known dependent services, and preservation of evidence for legal use. Public reporters need a route to challenge an obviously mistaken closure without gaining control over the record.
Consequences should be proportionate. One complex miss does not prove institutional failure. A pattern hidden by denominator changes is more concerning than an openly reported breach with a credible repair plan. The governance signal lies in how the registry responds to its own miss.
Five regional systems need comparability, not uniformity
The five RIRs operate across different laws, languages, membership structures, resource histories and data models. Uniform deadlines for every field would ignore real constraints. Legacy resources create authority questions in one region; national registries shape another; privacy law affects public contact display; service hours and local holidays differ.
Comparability can coexist with regional variation. Every RIR can report the same high-level stages while setting justified thresholds. Every report can disclose whether days are calendar or business days, which time zone controls, what starts and stops the clock, and which resource classes are covered. A common severity vocabulary can map to local procedures. A common outcome vocabulary can distinguish corrected, rejected, withdrawn, referred, contested and pending.
This federated approach is stronger than one global average. It lets communities inspect local performance and lets cross-region users understand differences. It also permits experimentation. One RIR might publish rapid interim flags; another might provide stronger signed receipts; a third might test independent mediation. Comparable evidence allows the better practice to spread without pretending each region is identical.
The NRO is an obvious venue for agreeing a minimum reporting profile. Agreement should not require sharing personal case data or centralising decisions. It requires common questions and honest denominators.
A minimum accuracy commitment
A useful baseline can be concise. First, every RIR should provide a public, authenticated-capable route for reporting inaccurate registration, contact, routing-security and reverse-DNS data. The route should issue a case reference without requiring the reporter to become a member.
Second, the registry should acknowledge receipt and classify authority and severity within published periods. Where credible evidence indicates imminent loss of control or routing harm, a protected emergency route should be available at all hours.
Third, the registry should preserve the contested state and evidence, notify the registered holder where lawful and safe, and prevent unauthorised changes during review. A visible contested marker may be appropriate for some public fields, but it should not become a tool for harassment.
Fourth, the registry should publish milestone targets by case class: triage, preliminary protection, evidence request, determination, correction, dependent-service publication and appeal. Pause rules and maximum update intervals should be explicit.
Fifth, completion should require verification across the affected public services under the registry’s control. Remaining dependencies should be named in the case notice.
Sixth, quarterly or annual reports should show intake, dispositions, confirmed defects, attainment, percentiles or age bands, oldest cases, appeal results and material exclusions. Small denominators should be stated plainly.
Finally, an independent body should test samples and publish whether the commitment is measurable and fairly applied.
What Number Resource Society can add
Number Resource Society starts from a strong claim in its Charter: the legitimacy of number-resource institutions depends heavily on accurate registration and voluntary recognition. That claim becomes more useful when converted from criticism into a testable public standard.
NRS could convene resource holders, operators, incident responders, researchers and RIR entities to define the common correction vocabulary. It could maintain a comparative index of published commitments without ranking incomparable figures. It could provide a neutral form for documenting failed contacts, contradictory responses and elapsed milestones, then give the relevant registry a fair opportunity to explain or correct the entry.
NRS should not declare a record wrong merely because one complainant disagrees. It should not publish identity documents, warehouse personal contact data or substitute its judgment for recognised allocation authority. Its value would be procedural: preserve the public observation, distinguish allegation from confirmation, track whether an accountable answer arrives and identify recurring gaps that policy communities can address.
A future NRS assurance mark could indicate that a registry publishes a complete denominator, severity classes, propagation checks and independent review. It should expire unless evidence remains current. The mark would recognise measurable conduct, not confer authority over number resources.
What users should watch now
Until common commitments exist, public users should read registry data with bounded confidence. Preserve the authoritative response, query time, endpoint and referral path. Check whether Whois and RDAP agree. Distinguish the registered holder from downstream users and route origin. Test the designated abuse contact without assuming non-response proves false registration. Validate RPKI with current data and record the trust-anchor set. Check reverse DNS separately.
When reporting an error, name the exact proposition and harm. “This record is wrong” is difficult to triage. “The listed abuse mailbox rejects mail,” “the organisation denies control,” “the reverse delegation names servers no longer authorised,” or “the ROA origin conflicts with the holder’s authenticated request” creates a testable claim. Provide lawful evidence and protect unrelated personal data.
Track milestones, not only correspondence. Ask whether the case was accepted, which authority controls the change, whether another party must act, and how completion will be verified. If the answer remains generic, that itself is evidence of the missing commitment.
Researchers should resist turning partial public figures into a global score. A validation cadence, ticket response target, availability percentage and correction percentile measure different things. The honest result may be that comparison is not yet possible.
Accuracy is a duration as well as a state
A registry is not inaccurate merely because a report has been filed. Nor does one erroneous record discredit an entire regional institution. Accuracy is maintained through a sequence of controls: correct entry, periodic validation, anomaly detection, accessible challenge, careful decision, timely repair and verified propagation.
Time belongs in that definition. A confirmed error that remains authoritative for an unexplained period is a governance failure even if it is eventually corrected. A complex dispute handled through published stages can demonstrate accountability even when final resolution takes longer. The difference is visible duty.
The RIR community has already built many of the ingredients: recurring contact validation, inaccuracy reporting, structured RDAP, signed routing entities, reverse-DNS administration, community policy and institutional audits. What is missing is a common public view from defect to recovery.
The standard should not promise perfection or manufacture a universal statistic. It should make errors countable, delays explainable, repairs observable and decisions reviewable. Number resources are shared technical coordinates. The records that sustain their use deserve service commitments measured at the point where public dependence actually fails.
Sources
- IETF, RFC 7020: The Internet Numbers Registry System - establishes registration accuracy, uniqueness and accurate allocation information as core requirements while documenting, rather than redesigning, the recognised registry system.
- IETF, RFC 3912: WHOIS Protocol Specification - defines the limited text query-and-response protocol and supports the distinction between service reachability and substantive data correctness.
- IETF, RFC 9083: JSON Responses for RDAP - defines structured network, entity, autonomous-system and domain responses, including links, notices, remarks, status and events; it does not warrant the truth of returned values or set correction deadlines.
- IETF, RFC 9224: Finding the Authoritative RDAP Service - explains IANA bootstrap discovery for authoritative RDAP services and its limits.
- IETF, RFC 6480: An Infrastructure to Support Secure Internet Routing - describes the RPKI certificate hierarchy, repositories and ROAs, while bounding what certificates and repository freshness establish.
- IETF, RFC 8211: Adverse Actions in the RPKI - analyses harmful CA and repository actions and explains why remediation time can help distinguish and limit mistakes, attacks or compelled changes.
- IETF, RFC 3172: Management Guidelines for the ARPA Domain - describes management and delegation responsibilities for address-related reverse DNS.
- ARIN, Point of Contact Records - current guidance on annual validation, the 60-day response period, invalid marking and restoration of account functionality; these are contact-validation rules, not a universal correction SLA.
- ARIN, Report Whois Inaccuracy - public route for submitting a confirmed report for staff review and investigation; the form does not publish a complete correction-latency denominator.
- RIPE NCC, Regular abuse-c Validation - accepted policy record for at least annual abuse-contact validation and follow-up, with stated benefits and operational limitations.
- RIPE NCC, Consistency and Auditing Activity - describes accuracy duties, registry checks, requested corrections and consequences for non-cooperation.
- RIPE NCC, How to Find Abuse Contact Information - distinguishes keeping an abuse contact valid from responsibility for the network operator’s response to a substantive complaint.
- APNIC, Internet Number Resource Policies - states the six-month IRT validation cycle, response periods and consequences for failed contact validation within the APNIC region.
- AFRINIC, Why AFRINIC Verifies Member Information - describes member duties to maintain organisation, contact, resource, routing and reverse-DNS information.
- AFRINIC, Whois Terms of Use - assigns data-maintenance responsibilities and expressly limits guarantees of accuracy, completeness and availability.
- Number Resource Organization, SLA for IANA Numbering Services - shows a formal measured service boundary between ICANN and the five RIRs without implying the same thresholds govern public RIR corrections.
- IANA, Number Resource Performance Report for April 2025 - demonstrates published targets, actuals and zero-request denominators for allocation and reverse-DNS services at the IANA-RIR boundary.
- Number Resource Organization, RIR Governance Document Version 2 - August 2025 draft language on accurate and accountable services, transparency, disputes, audits and timely conduct; cited as a draft rather than current universal proof of compliance.
- Number Resource Society, Our Charter - NRS’s first-party case for accurate registration, limited registry power and voluntary recognition; used as advocacy that requires measurable institutional design, not as independent evidence about RIR performance.

