Summary
- Any alternative to the five-RIR model would have had to prevent double allocation, preserve aggregation, protect route-security state, fund shared public goods and recover from provider failure. That failure test comes first.
- The early RFCs identified a scaling problem in address administration; ICP-2 later converted regional coordination into an explicit one-RIR-under-one-management-and-location rule for each continental-scale region.
- The institutional bundle joined different functions with different technical requirements: authoritative number-resource state needs consistency, while service delivery, training, certification operations, dispute handling and some accountability functions can be analysed separately.
- The available record does not prove that unbundling would have been cheaper, safer or preferred by operators. It supports a narrower conclusion: the five regional monopolies were contingent designs whose alternatives require measurable coordination, security, funding and recovery tests.
The failure test before any institutional counterfactual
The useful starting point is not indignation about monopoly. It is the failure test that any rival design must pass. A numbering system cannot tolerate two independent authorities assigning the same address block to different holders. It cannot treat aggregation as optional when routing stability depends on coherent hierarchy. It cannot leave route-security assertions to uncoordinated writers without a way to decide which assertion is authoritative. It cannot fund education, policy development, records stewardship and dispute capacity only when they are profitable at the margin.
It also cannot let a failed provider strand records, keys, reverse DNS responsibilities or member obligations without a tested recovery route.
That test gives the existing regional Internet registry system its strongest case. A single recognised registry for a large region reduces conflicting updates, simplifies accountability and creates a stable home for expertise. It gives operators a known forum for membership service and policy discussion. It allows public-interest tasks to be cross-subsidised by registration revenue. It narrows the number of institutions that IANA, other registries and network operators must coordinate with for global state. Those are not cosmetic advantages.
They are the reasons a regional registry monopoly can be defended as infrastructure rather than mere incumbency.
The same test also prevents a lazy conclusion that the current bundle was technically inevitable. Global uniqueness requires coordinated authoritative state. It does not automatically require every service around that state to be performed by one permanent provider for one continental-scale region. The hard question is function-specific: which tasks require a single authoritative writer, which tasks require common rules, which tasks require certified state, which tasks require local service, and which tasks could have been supplied by accredited providers under a shared ledger and recovery framework.
If that distinction is not made, a need for unique records quietly becomes an argument for permanent organisational monopoly.
The bounded thesis is therefore simple. Hierarchical delegation was a rational response to Internet growth, globalisation and administrative scale. The one-registry-per-region model later made that response legible and durable. But registration, membership, policy, certification, reverse DNS, training, dispute handling and recognition were not one natural entity. They became a bundle through standards-era practice, recognition policy and inter-registry coordination. A serious counterfactual has to price the risks of separating them, but the pricing exercise itself shows that the bundle was a governance choice, not a law of physics.
The early scaling fork was real, but not complete
The early address-management documents should be read as evidence of a scaling fork, not as a complete institutional blueprint for the mature RIR order. RFC 1366 in 1992 framed regional distribution as a response to growth and globalisation. The problem was not abstract. As the Internet expanded beyond a small coordination environment, administrative centralisation created delay, local knowledge gaps and a mismatch between global uniqueness and regional service needs. Delegation toward regional bodies offered a practical way to keep records coherent while moving routine allocation work closer to the communities using the resources.
RFC 1466, published in 1993, gave the fork more operational shape. It described distributed regional registries empowered by IANA and the Internet Registry and set criteria for selecting registries. Its importance lies in the direction of travel. Address management could remain globally coordinated while being administered through regional structures. That was a major design move away from a purely central desk. It recognised that growth required institutional distribution without surrendering the goal of uniqueness.
The limits of those RFC-era texts are just as important. They were allocation-era instruments, not a final answer to every later question of scarcity, transfer, certification, membership governance or service portability. They show why regional administration was attractive before the five-RIR system fully matured. They do not prove that one corporate provider in each region had to control every adjacent function indefinitely. Nor do they settle whether a later market for accredited registry-service providers could have served members while writing to a common authoritative state.
This article does not rerun a portability-from-birth counterfactual. The narrower comparison is this: by the time the five-RIR order had formed, the design problem had changed from "Should address management be regionalised?" to "Which pieces of the regional registry bundle must remain exclusive, and which could have been made portable or federated without breaking uniqueness?" The early RFCs answer the first question more clearly than the second. They identify the reason for distribution, not the permanent boundaries of the institution that distribution eventually produced.
ICP-2 converted a coordination risk into a single-provider rule
The decisive institutional text for the mature model is ICP-2, accepted on 4 June 2001. ICP-2 did not merely describe a preference for regional coordination. It stated that each region, approximately continental in scale, should be served by a single regional Internet registry under one management and in one location. The stated concern was fragmentation. Multiple registries serving the same region were presented as creating coordination difficulty, inconsistent service and confusion among those using the registry system.
That rule deserves respect as a risk judgment. A numbering registry is not an ordinary customer-service business. If two providers can make incompatible changes to the same authoritative resource state, the problem is not inconvenience; it is loss of truth. If two policy interpretations generate conflicting registry outcomes, operators and upstream networks need to know which outcome governs. If a service provider disappears, there must be a way to preserve records, keys, reverse DNS, contacts and obligations. ICP-2's insistence on one recognised registry per region can therefore be defended as a conservative infrastructure rule.
But a risk judgment is not the same as a comparative proof. ICP-2 asserted the danger of multiple regional registries. It did not publish a side-by-side evaluation of shared-ledger designs, accredited service providers, separated policy bodies, modular dispute systems or contractual successor arrangements. The policy was formulated with existing RIR participation, which does not make it illegitimate, but it does mean the text should not be treated as a neutral market study. It tells us how the recognised system chose to manage risk. It does not tell us what all viable alternatives would have cost.
The one-management-and-one-location phrase is especially revealing. It treats fragmentation as an institutional problem solved through concentration. The premise is that clarity improves when the region has one recognised registry, one management structure and one location. That may be true for authoritative state, public-facing accountability and inter-registry coordination. It is less obviously true for training, help-desk service, certification operations, member communication or local dispute support. The same risk label was applied across functions whose technical needs differ.
The right reading is neither hostile nor deferential. ICP-2 supplied a rule that helped stabilise the regional registry order. It reduced confusion and gave IANA, the RIRs and operators a simple map of authority. At the same time, it converted a technical requirement for consistent registry state into a broader organisational exclusivity rule. The text justifies the conversion by pointing to fragmentation and confusion. The missing evidence is the comparison: whether all functions needed that exclusivity, and whether modular safeguards could have controlled the same risks at lower lock-in cost.
The bundle that later looked natural
By the time the five-RIR system became the ordinary map of number-resource governance, several different tasks had been folded into one institutional provider for each region. The recognised RIR was the source of registry service. It was also the membership organisation, the local policy arena, the keeper of registration records, a coordinator for reverse DNS, a entity in certification arrangements, a provider of education and community meetings, and a forum in which disputes were first shaped before external law or higher coordination mechanisms entered.
The same name covered ledger state, rules, services, public goods and institutional voice.
That bundling had practical advantages. A single provider could maintain staff expertise across adjacent tasks. It could connect member service with policy interpretation. It could fund activities that did not produce direct transaction revenue. It could preserve confidentiality because sensitive operational data did not need to circulate across multiple service contractors. It could reduce reconciliation cost because the organisation that received member requests also maintained the record system and understood the local policy history. In infrastructure, low reconciliation cost is not a minor benefit.
Bundling also created dependency. A network operator that needed registration service, policy access, reverse DNS administration, certification support and dispute attention did not have a normal supplier-choice problem. The recognised regional registry was not one provider among several. It was the institutional path through which the operator's number-resource relationship was administered. Recognition, membership and records all pointed in the same direction. Over time, that concentration made the bundle appear technically inevitable even where some functions had weaker uniqueness requirements than the authoritative ledger itself.
The following matrix separates the functions. It is not a proposed procurement design. It is a way to keep the analysis honest by asking what must be unique, what is presently concentrated, what a modular alternative would have to protect, and what recovery plan would be needed before any change could be credible.
| Function | Uniqueness requirement | Present control point | Conceivable modular alternative | New coordination risk | Switching/recovery requirement |
|---|---|---|---|---|---|
| Authoritative number-resource ledger | Very high: one global truth must prevent double allocation and incompatible status changes | IANA-to-RIR delegation and each recognised regional registry's records | Shared authoritative ledger with accredited regional service writers and strict consensus rules | Conflicting writes, fraud, delayed reconciliation, unclear finality | Tested transfer of records, signatures, audit trails and decision authority to a successor |
| Registration service and member account handling | Medium to high: service can be distributed, but state updates must be final and consistent | The recognised RIR's member-service desk and internal systems | Accredited service providers submitting validated changes to a common registry state | Uneven service quality, identity fraud, inconsistent interpretation of policy | Mandatory escrow, identity assurance, service-provider exit rules and member continuity plan |
| Policy development | Medium: rules must be common for affected resources, but deliberation need not be supplied only by a service desk | RIR community process around the recognised registry | Independent regional policy forum with binding publication into registry rules | Capture by entities separated from operational accountability | Clear rule-adoption threshold, appeal path and emergency suspension procedure |
| RPKI and certification support | High for certificate state and key integrity; lower for education and support | Registry-operated certification services tied to resource records | Common certification authority model with separated support desks and audit controls | Key compromise, stale certificates, confused liability for validation failures | Key rollover procedure, escrowed operational manuals, independent audit and disaster recovery |
| Reverse DNS coordination | High for authoritative delegation; medium for customer support | Registry coordination attached to number-resource records | Shared DNS operation under contractual service levels, with multiple support providers | Inconsistent delegation, delayed updates, unclear incident command | Escrowed zone data, incident escalation rules and successor DNS operator appointment |
| Training and education | Low for uniqueness; high for accuracy and neutrality | RIR-funded meetings, training and documentation | Competitive or federated education providers using common curriculum standards | Low-quality guidance, uneven regional access, marketing capture | Certification of trainers, open materials, funding for underserved communities |
| Membership and fee collection | Medium: funding must be stable and fair; provider identity can be separable from ledger truth | RIR membership organisation and fee schedule | Central funding pool or regulated service fees supporting common functions | Free-riding, underfunded public goods, distorted incentives | Reserve requirements, collection fallback and public reporting of cost allocation |
| Dispute handling and appeals | Medium to high: final decisions must be authoritative, but review can be institutionally separate | Internal registry process, community rules and external legal routes where applicable | Independent review body for registry decisions with binding effect on ledger updates | Slow resolution, forum shopping, inconsistent standards | Time limits, emergency preservation of records and enforceable correction orders |
| Inter-registry coordination | Very high for global consistency; lower for public representation | RIR collective coordination through the NRO and related arrangements | Contractual council of ledger operators with defined voting, escalation and successor rules | Deadlock, incumbent veto, unclear authority for new entrants | Deadlock breaker, temporary administrator and continuity terms for failed entities |
The matrix highlights two realities that are often blurred. First, the ledger cannot be treated as an ordinary open market. Multiple writers without consensus and recovery would create exactly the hazards ICP-2 feared. Second, not every function around the ledger has the same exclusivity requirement. Education, member support, some dispute review and parts of service delivery can be imagined as modular functions if, and only if, the authoritative state remains protected by identity assurance, audit, liability, funding and successor provisions.
The authoritative ledger is the hard core
The strongest boundary around the RIR model is the authoritative number-resource ledger. Without a trusted state for who holds which resources, the rest of the system becomes ambiguous. Allocation and assignment records influence routing practice, reverse DNS, contactability, certification and transfer evaluation. A design that permits double allocation or irreconcilable status changes would fail before its governance philosophy mattered.
This is why the word "monopoly" can mislead if used loosely. The hard core is not monopoly as a business preference. It is exclusivity of authoritative truth. A numbering ledger needs finality. It needs a way to know which block is delegated, which holder is recorded, which policy condition applies and which institution can change the record. If a modular model cannot specify that finality, it is not a model. It is an invitation to conflict.
Yet finality can be produced in different institutional ways. It may come from one regional provider controlling the record. It may come from a shared ledger with one accepted decision process. It may come from a contractual operator whose actions are audited and recoverable. It may come from a hierarchy in which only certain institutions can write certain classes of state. The technical need is consistency, not necessarily that all surrounding services remain inside one organisation forever.
The present RIR system solved finality through recognised regional authorities. That solution had low conceptual overhead. Operators knew where to go. IANA knew whom to delegate to. Other RIRs knew whom to coordinate with. The model avoided complex multi-provider write protocols inside a region. In the growth period from the early 1990s through the establishment of the mature RIR order, simplicity had value.
The cost of that simplicity is institutional dependency. Once the recognised regional registry becomes the only place where authoritative state can be changed, every adjacent service gains leverage from that position. Membership obligations, service procedures, policy disputes and certification arrangements all operate under the shadow of the unique ledger. Even when a function could theoretically be supplied elsewhere, the operator cannot easily exit the recognised registry relationship without leaving the recognised registry state. That is the lock-in mechanism that has to be named without pretending uniqueness itself is optional.
Service delivery is not identical to final authority
Registration service involves receiving requests, verifying identity, checking policy eligibility, communicating with members, updating records and preserving evidence. Some of that work is inseparable from final authority. A status change cannot be treated as valid until it is accepted into the authoritative record. But the customer-facing work before that final update is more modular than the ledger itself. Verification, documentation, translation, regional outreach and technical support can be structured in several ways if the final write path is controlled.
A modular alternative would have required accredited service providers rather than free-for-all competitors. Providers would need identity controls, conflict checks, audit duties, confidentiality rules and liability for bad submissions. They would have to use common policy interpretations or escalate doubtful cases to a central authority. They would need to escrow records so a failed provider could be replaced without losing member history. They would also need a funding model for public goods that ordinary service fees might not support.
Those requirements are heavy. They explain why the integrated RIR model was attractive. A single registry can combine identity assurance, policy interpretation and record updates in one chain of custody. It can train staff under one operational culture. It can detect suspicious patterns across member interactions. It can avoid a market in which service providers compete by pushing eligibility boundaries or promising faster outcomes than the rules allow.
But "heavy" is not the same as "impossible." Banks, domain registries, certificate authorities and other infrastructure-adjacent systems have used accreditation, escrow, audit and successor arrangements to separate some service functions from authoritative state. That analogy cannot be imported without adjustment, because Internet number resources have their own history and policy structure. Still, it shows that an institutional monopoly is only one way to manage finality. The relevant question is whether the safeguards would cost more than the lock-in they reduce.
The available record does not answer that question. There is no observed cost series comparing integrated RIR service with an accredited-service model. There is no operator preference survey showing whether members would have paid for portability or preferred a single registry desk. There is no production migration plan proving that modular service would have been safe. The honest conclusion is not that unbundling was superior. It is that service delivery is analytically separable from final authority, and the system chose not to separate it.
Policy and membership create legitimacy, but also entrenchment
RIR policy development is one of the strongest public-interest arguments for the bundle. Address management rules need local knowledge, operator participation and continuity. A regional registry can convene meetings, publish proposals, preserve records of discussion and implement accepted policy. The membership organisation supplies a constituency and a funding base. That structure is more legitimate than a hidden administrator applying rules without community process.
Bundling policy with registry operation also creates feedback. Staff who understand operational constraints can inform policy discussions. Members who experience service problems can raise them in the same institutional environment where rules are developed. A registry that must implement policy has incentives to explain feasibility. This feedback can reduce the distance between rule-making and operational reality.
The risk is that the provider's centrality becomes the frame within which legitimacy is measured. If the only recognised path to policy is the RIR's own process, then debate over the provider's role, fees, service quality or dispute procedures occurs inside the institution that benefits from the current arrangement. That does not make the process invalid. It means the process has an incumbency problem. The rule-maker, service provider and membership host are not fully separate.
A modular model could have imagined an independent regional policy forum whose adopted policies bind the authoritative ledger operator. That would reduce provider control over rule-making, but it would introduce other risks. The policy forum could be captured by a narrow entity group. It might adopt rules difficult for operators to implement. It could leave the ledger operator responsible for consequences it did not help design. It would need a clear adoption threshold, an appeal path and an emergency rule for situations where implementation would endanger registry integrity.
Again, the exercise is not to declare modular policy better. It is to price the choice. The integrated model lowers coordination cost and ties rule-making to operational knowledge. The separated model could reduce institutional self-protection but would require stronger accountability rules and a binding interface with registry operations. ICP-2's single-provider rule avoided this complexity by treating the regional registry as the natural home for both service and policy. That design worked as a stabilising simplification, but it was still a design.
Certification, reverse DNS and the security boundary
Certification and reverse DNS make the separation problem more sensitive. Route-security state depends on reliable links between number-resource records and cryptographic or DNS assertions. If the holder record is wrong, certification can amplify the error. If keys are mishandled, stale or compromised, networks may face validation failures or misleading trust signals. If reverse DNS delegations are inconsistent, operational troubleshooting and abuse handling can become harder.
These functions strengthen the case for keeping certain operations close to the authoritative registry. A provider responsible for the resource record has context for certificate issuance, revocation and support. It can align reverse DNS changes with registry status. It can coordinate incident response without passing sensitive data across multiple contractors. It can define operational procedures under a common risk culture.
They do not prove that all support functions must be monopolised. A separated design could keep final certificate authority and reverse DNS delegation under a common, audited control point while allowing multiple support providers to help members prepare requests, manage documentation or understand procedures. Such a model would require strict identity proofing, key-management rules, incident escalation and audit. It would also require members to know when they are receiving advice from a support provider rather than final authority from the registry state.
The coordination risks are serious. A bad service provider could mishandle key material, submit inaccurate changes, delay revocations or confuse members about which state is authoritative. Liability would be difficult because failures could arise from the member, the support provider, the common certification system or the registry decision process. Recovery would require key rollover, preserved logs, emergency suspension and a clear chain of command. Those demands are exactly why integrated RIR operation has a strong security argument.
The institutional lesson is narrower than a defence of every monopoly function. Security-sensitive state should remain tightly controlled. Support, education and review around that state can be modular only where the control boundary is explicit. The existing bundle solves the boundary problem by collapsing most functions into one provider. A counterfactual must solve it through rules, audit and recovery instead. The fact that the counterfactual is difficult does not make the bundle inevitable; it makes the bundle's convenience visible.
Public goods are the best economic defence of the bundle
Training, meetings, documentation, policy records and regional outreach are not side decorations. They are public goods around the registry system. Many operators benefit from accurate training materials even if they do not pay directly for a class. Policy archives help future entities understand why rules exist. Regional meetings build trust and bring smaller networks into discussions that would otherwise be dominated by the largest holders. These functions are costly and unevenly monetisable.
A financially durable regional nonprofit can cross-subsidise them. Registration and membership revenue can support education, outreach, translation, facilitation and technical assistance. The provider's monopoly position makes that cross-subsidy more stable because the institution is not forced to compete only on narrow transaction fees. In regions with uneven operator capacity, that stability may matter more than theoretical supplier choice.
This is a strong argument against simplistic competition rhetoric. If modular service providers captured profitable account work while leaving education and community facilitation unfunded, the system could become less equitable. Large operators might receive sophisticated support, while smaller networks lose the subsidised public goods that help them participate. A competitive service layer without a public-goods fund could hollow out the very community basis that gives registry governance legitimacy.
The answer would have to be a funding mechanism. A modular design could require all accredited providers to contribute to a central public-goods pool. It could reserve a portion of fees for training and policy support. It could publish cost allocations and require service in underserved areas. But those rules would themselves need administration and enforcement. The regional monopoly simplifies this by combining revenue collection and public-goods spending inside one institution.
The evidence available here does not show which model would have funded public goods better. It does show that any alternative must treat funding as a first-order design constraint. A counterfactual that promises provider choice while assuming training, policy archives and outreach will fund themselves should be rejected. The bundle's strongest economics are not that monopoly is virtuous. They are that shared infrastructure requires stable revenue for work that markets may underprovide.
Disputes, liability and recovery define the real switching cost
The most revealing test for a modular registry design is not ordinary service. It is dispute and failure. When a member challenges a denial, when records are alleged to be wrong, when a provider mishandles confidential data, when a certificate state must be corrected quickly, or when a service organisation fails financially, the system needs more than normal operating instructions. It needs authority to preserve state, decide who can act, restore service and assign responsibility.
The integrated RIR model lowers this switching problem by having a single recognised institution at the center. If a dispute arises, the relevant records, procedures, staff and institutional responsibility are concentrated. External legal processes may still matter, but the operational point of contact is clear. If the registry itself fails, the problem becomes grave, but there is at least a known entity whose responsibilities must be transferred.
A modular design multiplies the edges. A bad account update might involve a member, an accredited service provider, a policy interpretation body and a central ledger operator. A certification failure might involve key management by one entity, support advice from another and record state maintained by a third. A dispute body might order correction, but the ledger operator would have to implement it. Every interface needs time limits, evidence rules, confidentiality duties and liability allocation.
That does not make modularity impossible. It makes recovery the price of modularity. Before any alternative could be credible, it would need mandatory escrow of member records, audit logs, operational manuals, signing procedures and pending disputes. It would need a successor appointment process that works when an operator is insolvent or hostile. It would need emergency powers that preserve current state without letting an administrator make arbitrary changes. It would need enforceable duties so members are not left between institutions.
This is where a lot of theoretical criticism of monopoly becomes too cheap. It counts lock-in but not recovery. The present system creates dependency on regional providers. A modular system creates dependency on interfaces, contracts, auditors, successor rules and dispute bodies. The relevant comparison is not monopoly versus freedom. It is one concentrated dependency versus a set of distributed dependencies that must still converge on authoritative state.
The NRO shows coordination among incumbents, not a market test
The NRO Memorandum of Understanding, dated 24 October 2003, is useful because it shows how the regional registries coordinated once the incumbent model was already in place. The agreement created a collective mechanism among RIRs, and the obligations required unanimous written commitment. Four RIRs created the arrangement, with AFRINIC joining after its later recognition. The document is not a competition study. It is an inter-registry coordination instrument.
Its significance is institutional. By 2003, the relevant actors were not merely independent regional desks. They were creating a collective form to speak and coordinate across regions. That strengthened the five-RIR order by giving it an organised inter-registry layer. It also made recognition and participation more consequential, because joining the regional registry family meant entering a coordinated system rather than simply operating a local allocation office.
The unanimous commitment feature cuts two ways. It can protect regional registries from being bound without consent, which supports institutional stability. It can also entrench incumbents by making coordinated change difficult. If every entity must commit in writing, the system gains predictability but loses some capacity for experimental redesign. That tradeoff is familiar in infrastructure governance: the same rule that prevents reckless change can also slow needed adaptation.
The NRO document therefore helps explain why the bundle became harder to question. The more the RIRs coordinated among themselves, the more the five-provider map looked like the operating constitution of number-resource governance. A single regional registry was not only the service provider for its region. It was also one node in a recognised inter-registry collective. That relationship raised the institutional cost of imagining portable service providers or alternative regional arrangements.
The document does not show that alternatives were impossible. It does not compare a shared ledger with accredited service providers. It does not measure operator demand for portability. It does not quantify the cost of incumbent coordination versus modular competition. Its evidence is narrower and still important: once the RIRs were coordinated through their own collective arrangements, the one-provider-per-region model was reinforced at the global layer.
The later IANA numbering agreement is only a bounded analogy
The IANA numbering services agreement that became effective on 1 October 2016 belongs outside the core 1992-2010 formation period, but it supplies a useful analogy if kept within bounds. It shows that performance expectations, escalation, dispute resolution, renewal and successor-operation provisions can be written into a formal operating arrangement at one layer of the numbering system. In other words, unique coordination can be expressed through modular contractual terms rather than only through institutional tradition.
The analogy must not be overstated. That agreement governs the relationship for IANA numbering services. It is not evidence that competition among registration providers inside a region already works. It does not prove that members would prefer portable service. It does not test the safety of multiple accredited writers to regional resource state. It postdates the period in which the five-RIR model formed and should not be read backward as proof of what would have been feasible in the early 1990s or in 2001.
Its value is conceptual. If one layer can specify service expectations, escalation, dispute handling and successor arrangements, then the design vocabulary exists for separating function from institution. A modular regional model would need similar vocabulary, but stricter in some respects because it would affect member accounts, certification, reverse DNS and local policy implementation. The later agreement does not answer the cost question. It shows the kind of clauses a serious alternative would need.
That point matters because debates over RIR monopoly often become binary. Either the regional provider is treated as the only possible home for all functions, or competition is treated as a generic cure. The later agreement points to a third style of reasoning: define the service, define performance, define escalation, define dispute handling, define renewal and define successor operation. A credible counterfactual must be that concrete. It must be institutional engineering, not a slogan.
A distributed countermodel is evidence of imagination, not production proof
The 2018 experiment in distributed Internet address management using blockchains is relevant as a technical countermodel because it shows that researchers could separate distributed address-management state from the existing five private organisations in at least a prototype setting. It is useful evidence against the claim that no one can even imagine nontraditional registry state. It is not evidence that such a system is ready to govern production Internet number resources.
The limits are decisive. A prototype does not prove security under hostile incentives. It does not solve governance legitimacy, legal enforceability, migration from current records, confidentiality, fee funding, dispute handling or successor operation. It does not show that operators would accept the system or that regulators and courts would understand its outputs. It does not prove that consensus technology reduces cost once audits, identity assurance, key recovery and liability are included.
The countermodel should therefore be used carefully. It expands the design space by reminding us that authoritative state can be represented and validated in more than one technical architecture. It also reinforces the failure test. Any distributed system still needs a way to prevent double allocation, identify authorised changes, recover from key compromise, reverse bad updates, fund support and assign responsibility. Consensus without accountable governance would only replace one dependency with another.
That is why the question in this article is not "Should number resources be placed on a blockchain?" The answer is not supplied by the evidence and should not be invented. The question is whether the five-RIR bundle should be understood as the only possible form of consistency. The experiment helps answer that narrower question by showing that alternative technical state models can be proposed. It does not show that they are legitimate, cheaper, safer or deployable.
A falsifiable cost-and-risk rubric
Because the available record does not include comparative cost data, failure rates, operator preference surveys or production trials of modular alternatives, the honest method is a rubric rather than a numeric verdict. The rubric should ask five questions. First, does the design preserve a single authoritative state for each resource at every moment, including during disputes and failures? Second, does it maintain aggregation and avoid policies that fragment routing incentives? Third, does it protect certification and reverse DNS state from inconsistent or fraudulent changes?
Fourth, does it fund public goods that do not have direct transaction revenue? Fifth, can it transfer service, records and authority when a provider fails?
An integrated regional registry scores well on simplicity, clear authority, staff continuity and public-goods funding. It scores less well on member exit, competitive pressure, independent review of provider performance and resilience to provider-level failure. A modular accredited-service design might score better on choice and review, but worse on interface complexity, reconciliation cost, liability and incentives for providers to chase profitable accounts. A distributed ledger design might score better on replicated state, but worse on governance legitimacy, confidentiality, key recovery and legal accountability.
The rubric also needs measurement. For cost, the evidence would need full function-by-function data: ledger operations, membership service, policy support, certification, reverse DNS, training, dispute handling, audits and reserve requirements. For risk, it would need historical incident data and modelled failure scenarios. For demand, it would need operator surveys or revealed-preference evidence showing whether members would switch providers, pay for portability or prefer the existing single desk. For recovery, it would need tested migration exercises, not confidence statements.
This approach avoids two unsupported claims. It does not claim the five-RIR bundle is optimal because it lasted. Longevity is evidence of continuity, not proof of best design. It also does not claim that competition would be cheaper because competition often lowers prices in ordinary markets. Registry governance is not an ordinary market, and the costs of consensus, audit, liability and recovery may be substantial. The only defensible claim is that the current bundle should be evaluated against alternatives by function, not protected by the assumption that technical uniqueness settles every institutional question.
The strongest case for the five regional monopolies
The best defence of the five-regional-monopoly design is operational continuity under a public-interest nonprofit model. For decades, the RIR system provided a recognisable structure for number-resource administration. Operators knew where to obtain service. IANA knew the regional counterpart for delegation. RIR communities developed policy processes. Inter-registry coordination was managed among a small number of institutions. Education, meetings and records work could be funded by the same organisation that administered the resources. The model delivered continuity, and continuity matters.
The model also reduced reconciliation. When the same institution handles the member account, policy interpretation, record update, reverse DNS coordination and related support, fewer interfaces can fail. Confidential information remains within one organisation. Staff can develop deep expertise in regional policy and member history. Decisions can be documented in one institutional record. Those advantages are especially important where mistakes affect not just one customer relationship but the trustworthiness of shared infrastructure.
The nonprofit structure adds a further defence. A regional registry is not supposed to maximise transaction revenue by selling favourable interpretations. Its legitimacy depends on service, neutrality, community process and stewardship. A competitive layer might introduce incentives that are hard to control: providers could compete on speed, leniency, lobbying or bundled consulting. The integrated RIR model limits those incentives by keeping final service inside an institution whose public-interest purpose is part of its identity.
There is also a confidentiality argument. Number-resource administration can involve business plans, network expansion, contact data and sensitive operational information. A single registry can be held to confidentiality duties through one governance structure. Multiple providers increase the number of places where sensitive data can leak or be misused. Audits and contracts can reduce that risk, but they cannot remove it.
These arguments are strong enough to reject any counterfactual that treats monopoly as self-evidently bad. The current model was not an accidental cartel pasted onto a neutral technical problem. It was a conservative infrastructure arrangement designed to preserve consistency, service and coordination while the Internet globalised. Its public-goods economics and low reconciliation cost deserve serious weight.
The strongest case against treating the bundle as inevitable
The case against inevitability begins with lock-in. A member cannot move its authoritative registry relationship to a competing provider in the same way it might change an ordinary vendor. The recognised RIR's control point is embedded in the global numbering hierarchy. That gives the provider leverage even when the dispute is about service quality, fees, procedure or institutional accountability rather than the technical uniqueness of the resource record.
Provider failure is the second concern. A single regional registry simplifies authority in ordinary times, but it concentrates operational and governance risk. If the provider faces financial, legal or institutional distress, the region's members cannot simply select another fully equivalent registry service overnight. The failure of a monopoly provider is not just the failure of a vendor. It becomes a continuity problem for records, policy, certification, reverse DNS and inter-registry coordination.
The third concern is that bundling can conceal performance differences among functions. A registry may be excellent at ledger maintenance but weak at dispute handling. It may be strong in technical operations but poor at outreach. It may run effective education but lack independent review of sensitive decisions. If all functions are justified by reference to the ledger's uniqueness, poor performance in a separable function becomes harder to contest. The institution can borrow legitimacy from its hardest technical task.
The fourth concern is lack of comparative evidence. ICP-2 did not publish a robust evaluation of modular alternatives. The NRO arrangement coordinated incumbents rather than testing service portability. The later IANA agreement shows modular terms at one layer but does not measure intra-region competition. The distributed countermodel shows imagination but not production readiness. The record therefore supports the conclusion that alternatives were not proven, not that they were disproven.
The fifth concern is adaptation. A system designed for growth-era allocation may face different stresses under scarcity, transfers, certification reliance and legal contestation. Bundles that were efficient under one period can become harder to justify when functions evolve. That does not mean the five-RIR model failed. It means that institutional designs should not be shielded from remeasurement by the fact that they solved an earlier problem well.
The minimum viable counterfactual
A minimum viable counterfactual would keep the authoritative number-resource ledger unique while separating some service and accountability functions under strict accreditation. It would not allow arbitrary providers to write resource state. It would not create rival regional registries with incompatible authority. It would preserve IANA-to-registry hierarchy and inter-registry coordination. Its purpose would be narrower: test whether member-facing service, training, some support functions and independent review could be portable while final state remains controlled.
In that design, the ledger operator would maintain final resource state, certification authority boundaries and reverse DNS delegation authority. Accredited service providers could help members submit requests, manage documentation, receive training and navigate policy. An independent policy forum could define rules, with operational review before adoption. A separate review body could handle disputes under time limits and issue binding correction instructions. A public-goods fund would finance education, meetings, archives and underserved-community support. All providers would be audited and required to escrow records.
The counterfactual would need hard recovery provisions. If an accredited provider failed, member files would transfer to another provider or to the ledger operator. If the ledger operator failed, a successor operator would be appointed through a predefined mechanism, with records, keys, logs and operational manuals available. If a dispute affected certification or reverse DNS, emergency preservation rules would prevent harmful changes while review proceeded. If a provider submitted fraudulent changes, liability and suspension rules would apply without leaving members stranded.
This design is intentionally modest. It does not claim that five regional registries should be replaced. It does not recommend a blockchain or any named technology. It does not assume that provider choice creates legitimacy. It does not treat public goods as free. It simply separates final authority from some service functions and asks whether the separation can be made safer, cheaper or more accountable than the current bundle.
The evidence needed to reject it is also concrete. Show that accredited providers raise fraud, cost or delay beyond acceptable levels. Show that operators do not want portability when they understand the fees and risks. Show that public-goods funding collapses when service is separated. Show that independent review slows emergency corrections or creates inconsistent interpretations. Show that successor arrangements cannot preserve certification, reverse DNS and records without unacceptable risk. Such evidence would not defend monopoly by assumption. It would defend it by measurement.
What can be concluded now
The sources support a disciplined conclusion. The early RFCs show why regional administration emerged as a scaling response. ICP-2 shows how that response hardened into a one-RIR-under-one-management-and-location rule for each large region. The NRO MoU shows incumbents coordinating their collective obligations after the regional model had become established. The later IANA numbering agreement shows, only by bounded analogy, that service expectations and successor rules can be specified at one layer.
The distributed address-management experiment shows that alternative technical state models can be imagined, while proving none of the production requirements.
They do not support a claim that unbundling would have been cheaper. They do not support a claim that operators wanted portable providers. They do not show a safe migration path from the existing RIR order to a modular design. They do not prove that multiple writers can touch authoritative state without consensus and recovery. They also do not prove that every function in the regional registry bundle had to remain permanently monopolised by one provider.
The institutional history is therefore more interesting than either defence or critique usually admits. The five regional monopolies were a rational way to solve coordination under growth, globalisation and administrative scale. They protected uniqueness by making authority simple. They funded public goods and reduced reconciliation costs. They also fused separable functions into institutions that became hard to exit, hard to benchmark and hard to replace.
The minimum testable design is not a rival ideology. It is a controlled experiment on separability: keep authoritative registry state unique, define non-negotiable security and recovery rules, fund public goods explicitly, and allow only those service functions to become portable that can survive audit, liability and successor tests. If that experiment fails, the monopoly bundle gains a stronger evidence-based defence. If it succeeds, the lesson would not be that the RIRs were unnecessary. It would be that global uniqueness required a protected ledger, while the permanent bundling of every adjacent function was only one possible design.

