Summary

  • An AFRINIC-to-NRS transition must preserve one authoritative state for every number resource. Operator choice should decide who provides registry service, not permit competing custodians to publish incompatible claims for the same address space or ASN.
  • The unit of migration is not a row in WHOIS or RDAP. It is a signed continuity envelope containing holder authority, resource status, contacts, transfer history, pending requests, disputes, court restraints, reverse-DNS state, routing-security state, credentials, change history and the evidence needed to reproduce each conclusion.
  • Migration should proceed through readiness, protected replication, independent reconciliation, voluntary dual running, limited service cutover, audited expansion and only then any recognised long-term succession. Existing live state remains authoritative until a published activation event says otherwise.
  • Number Resource Society has a useful operator-centred and bookkeeper-limited direction, but its public charter does not prove that a production registry, recognition agreement, portable data standard or independent remedy system already exists. The positive case depends on building and testing those constraints.
  • Success is measured by continuity and reversibility: no duplicate authority, no lost dispute, no unexplained record change, no avoidable RPKI or reverse-DNS interruption, no requirement that operators reconstruct their history, and a clear route to return or move again.

Registry failure is not permission to fork the truth

AFRINIC's crisis has made a difficult institutional proposition easier to see. A regional registry can continue serving records while its corporate governance is impaired, its leadership is disputed, its finances are under pressure or its authority is being tested in court. Technical continuity and institutional legitimacy can diverge for a long time.

That observation creates a temptation. If the institution is the problem, build another registry, copy the records and invite operators to leave. The proposal sounds like ordinary vendor competition. It is not. Two customer databases can coexist. Two services cannot safely claim final authority over the same resource state without rules for which one relying parties should believe.

An IPv4 prefix, IPv6 allocation or ASN can appear in many systems, but the public registry layer must not produce incompatible holder, contact, transfer or delegation answers. Reverse DNS requires a coherent delegation. Routing-security certificates and route origin authorisations depend on a recognisable trust chain. Inter-RIR transfers need one completion state. IANA's top-level registries identify blocks administered through RIRs. A transition that creates two plausible truths would turn institutional reform into technical uncertainty.

The positive NRS case therefore begins with restraint. Number Resource Society should not claim that a record becomes authoritative because an operator has joined it, because an incumbent has failed politically or because a new database is more accurate in the opinion of its maintainers. It should define a route by which evidence, service and recognition move together under a verifiable cutover.

This is a continuity architecture, not a declaration of independence. It treats AFRINIC failure as a reason to make the registry function portable while refusing to make uniqueness optional.

The service must be separated from the company

The conceptual move is to distinguish the registry function from the corporate provider. AFRINIC Ltd is a Mauritian company with members, directors, employees, contracts, assets, liabilities and legal proceedings. The registry function is a set of services and obligations: maintaining accurate number-resource records, authenticating authorised changes, publishing registration data, supporting reverse DNS, operating routing-security services, recording transfers, processing valid requests and preserving evidence.

The company currently provides the function in the African service region. That history and recognition matter. They do not make the function physically inseparable from the legal person. Other registry transitions have required data, responsibility and service to move. The 2005 IANA recognition material for AFRINIC itself described a transition from predecessor RIR arrangements and examined AFRINIC's ability to maintain records, staff and services. The existence of a recognised transition into AFRINIC is evidence that registry administration can move when the conditions are defined.

Separation does not mean stripping AFRINIC of authority while it remains capable and recognised. It means preparing for three different states. In the first, AFRINIC operates normally and NRS offers independent continuity assurance without publishing rival authority. In the second, AFRINIC remains the legal registry while a qualified NRS custodian provides specified services as agent or substitute under a valid mandate. In the third, a recognised succession transfers durable responsibility to another arrangement.

These states need different triggers and instruments. Voluntary operator preparation is not emergency activation. Technical assistance is not contract transfer. Recognition of a successor is not the same as copying data. An orderly design names the state instead of letting political language blur it.

The result is a smaller but stronger claim: the registry service should survive the registry company, and every transfer of service should be narrower than a transfer of sovereignty.

NRS is a direction, not yet a production fact

The public NRS Charter argues that number-resource bodies should behave as accurate bookkeepers, respect the limits of private-law institutions, avoid unnecessary interference with operators and support transparency, accountability and an unrestricted Internet. That is a useful direction for continuity because it places the record and the operator above institutional prestige.

The charter does not, by itself, establish a functioning successor registry. It does not show an authoritative data agreement with AFRINIC, IANA recognition, production RPKI key ceremonies, reverse-DNS delegation, a tested transfer protocol, accredited custodians, data-protection roles, an independent tribunal or funds sufficient to operate during a crisis. Advocacy for portability is not proof that portability has been engineered.

This limitation should be stated positively. NRS has an opportunity to build its legitimacy from verifiable constraints rather than inherit the RIR habit of treating recognition as a broad mandate. Its first valuable product would not be a competing record. It would be a continuity standard that an operator, incumbent registry, court, auditor and relying party can inspect.

The standard should apply to NRS as strictly as it applies to AFRINIC. An NRS custodian cannot alter a holder because it sympathises with a member. It cannot hide a dispute because the incumbent is unpopular. It cannot retain records after its mandate expires. It cannot merge advocacy membership with registry authority. It must be replaceable.

That is how the transition avoids becoming a campaign to substitute one gatekeeper for another. NRS earns a role by making custodianship portable, bounded and reversible, including its own custodianship.

The continuity envelope is the unit of migration

A database dump is not enough. Public registration data can show a resource, organisation and contact while omitting the evidence that made those fields authoritative. A successor receiving only the visible row may know the current answer and not know why it is the answer, whether it is disputed or which pending act could change it.

The migration unit should be a continuity envelope for each resource relationship. At minimum it should contain:

  1. the resource range or ASN and its registry status;
  2. the stable identifier of the legal or operational holder;
  3. the evidence and decision establishing the current authority;
  4. current administrative, technical and abuse contacts with verification dates;
  5. agreement, membership and service status where relevant;
  6. allocation, assignment, transfer, merger and name-change history;
  7. pending requests, holds, investigations and review deadlines;
  8. court orders, contractual restraints and dispute metadata;
  9. reverse-DNS delegation state and change authority;
  10. RPKI account, certificate, publication and route-authorisation state;
  11. credentials, recovery methods and privileged access history in protected form;
  12. invoices, credits and service-payment facts that affect current access;
  13. every material change after the verified snapshot; and
  14. signatures or attestations identifying the source, validator and time.

Not every recipient should see every document. Identity files, contracts and legal material may require restricted access. Portability means the receiving custodian can verify that evidence exists, who checked it, what conclusion it supports and how to obtain targeted disclosure if challenged. It does not mean publishing a member's confidential file.

The envelope makes migration an evidentiary act. If a field cannot be reproduced, it is marked uncertain rather than silently accepted. If two sources conflict, both travel with the dispute. If the public row is wrong, correction occurs through a recorded decision, not through an unexplained cleanup before export.

A transition needs one state machine

Every envelope should occupy a defined migration state. A plain label such as copied or moved is too vague. The following state sequence is more defensible:

State Authority and permitted action
Source authoritative AFRINIC remains the only authority; NRS may validate protected replicas but cannot publish changes as final.
Reconciliation pending A replica exists, differences are classified and destructive changes remain subject to enhanced logging.
Dual running, source final Both systems process test or mirrored operations; AFRINIC's signed state remains final.
Limited NRS service NRS performs named functions under a valid mandate while rights-altering acts remain with AFRINIC or an independent decision-maker.
NRS authoritative for selected functions A published activation assigns finality for specified services, with one change channel and one audit log.
Full recognised succession Authority, contracts, data and external recognition have moved under an adopted instrument.
Return or onward port All changes reconcile and the next custodian receives the complete envelope.

The state belongs to the resource relationship, not only to the institutions. Different functions may move at different times. Public lookup could be served from a verified replica before contested transfer decisions move. Existing reverse-DNS data could be maintained before new delegations are accepted. Routine contact corrections could move before resource-holder disputes.

The state machine prevents political announcements from outrunning technical authority. A press release cannot move an envelope. An election cannot revert it. A court order affects only the state and functions within its scope. Relying parties can determine which service is authoritative at a given time.

Most importantly, there is never an undefined dual-authority stage. Dual running is allowed for comparison and resilience, but finality remains singular.

Readiness comes before activation

The first phase should operate while AFRINIC services are available. Waiting for collapse would force hurried reconstruction from public records and private operator archives. Readiness should be an ordinary obligation, not a hostile act.

AFRINIC, NRS and an independent custodian could define the envelope schema, generate protected exports and test restoration without changing public authority. Operators would receive a signed statement of their own state and a route to report discrepancies. Sample restorations would test whether a second environment can reproduce records, credentials, reverse DNS and pending-case metadata.

Readiness also requires institutional materials: authority schedules, vendor dependencies, domain controls, certificate inventories, bank and payment continuity, staff roles, contact trees, incident procedures and the legal instruments needed for temporary service. A technically complete replica can still be unusable if no one has authority to activate it or pay the people operating it.

ICANN's 2025 correspondence concerning AFRINIC emphasised the preservation and backup of public and non-public registry records. That concern identifies a minimum, not a complete design. Backups must be current, recoverable, interpretable and linked to authority. A file that can be restored but cannot support a lawful holder update is storage, not continuity.

Readiness tests should publish dates, scope, recovery objectives, unresolved gaps and independent conclusions. Security details and personal data remain protected. The public evidence should be sufficient to show that the capability exists without exposing how to attack it.

This phase benefits AFRINIC even if no transition occurs. Better exports, cleaner authority records and tested recovery reduce present risk. A continuity option should improve the incumbent before it competes with it.

Reconciliation must preserve uncomfortable facts

Migration programmes often reward a clean target. Teams are tempted to resolve duplicate names, missing documents and stale contacts before cutover so the receiving system looks orderly. That can destroy evidence.

AFRINIC's historical records include resources inherited from predecessor arrangements, later allocations, transfers, membership changes, corporate successions and disputed matters. Some files may be complete; others may rely on older formats, staff knowledge or external documents. Reconciliation should classify these differences rather than force one confidence level.

A useful classification has at least five states. Verified means evidence and current state agree. Verified with historical gap means current authority is strong but part of the earlier chain is incomplete. Disputed means another party has a documented competing claim or active review. Restricted means a lawful order prevents a named change. Pending evidence means the current conclusion cannot yet be independently reproduced.

Each class has a continuity treatment. Verified records can proceed through ordinary migration. Historical gaps travel with a caveat but do not necessarily stop service. Disputed records preserve the last verified state and move to independent review. Restricted records carry the exact restraint to the receiving custodian. Pending files can receive routine non-destructive service while rights-altering changes wait.

The reconciliation reviewer should not be the person who made the source decision or the receiving provider seeking to expand its customer base. Operators must receive their result and a correction window. Aggregate reports should show denominators, exception classes, correction rates and unresolved cases.

A successful migration does not produce a magically clean past. It produces a target in which uncertainty is explicit and cannot be exploited quietly.

Operator choice needs coordination, not unilateral escape

NRS continuity should give operators a meaningful choice of registry service. Choice disciplines an incumbent because poor service no longer carries the same captivity premium. Yet choice must be coordinated to prevent duplicate authority.

An operator should be able to request a port of service by authenticating its authority, selecting a qualified custodian and accepting the common continuity terms. The source custodian receives notice and can raise a defined objection: identity uncertainty, competing claim, court restraint, incomplete evidence or security compromise. It cannot reject a port merely because it dislikes competition or the operator's business model.

If no material objection exists, the custodians agree a cutover time, freeze the relevant change channel briefly, reconcile the envelope, rotate credentials, publish the authoritative-provider state and reopen service. The source becomes read-only for the relationship or forwards requests. The target acknowledges the complete state and every caveat.

If an objection exists, the operator should not lose all service. The record enters neutral custody or remains at the last verified state while an independent reviewer decides the contested point. Unaffected functions continue. A dispute about payment, for example, should not automatically become a dispute about holder identity or route authorisation.

The right is a right to a coordinated port, not to self-declare a new truth. Operators accept common authentication, evidence preservation, dispute carriage and lawful restraints. Providers accept export, audit, non-retaliation and a duty to leave when replaced.

This reciprocity turns portability from rhetoric into infrastructure.

Dual running should compare decisions, not publish two answers

Before NRS becomes authoritative for any production function, a dual-running period should compare how both environments interpret the same cases. The source remains final. The target processes a protected copy and records the result it would have produced.

Routine cases test semantic compatibility: contact updates, corporate name changes, new authentication factors, reverse-DNS requests, RPKI changes and transfer status. Historical cases test whether the target can reconstruct why the current state exists. Adverse cases test disputed authority, urgent security protection, ambiguous court language and incomplete records.

Differences should be classified. A software difference may require mapping. A policy difference may require the target to apply AFRINIC's existing rule during temporary service. An evidence difference may reveal that the source conclusion cannot be reproduced. A legal difference may require a specific instrument. None should be resolved by silently making the target behave as preferred.

Dual running also measures operational performance: event ordering, update latency, authentication success, log completeness, notification delivery and restoration after failure. A target that copies the final database but loses pending requests or notice history is not compatible.

The comparison period should have an end condition. NRS does not gain authority merely by running a mirror for long enough. Independent auditors certify defined capabilities; authorised parties then decide whether a named function can move. Material differences remain public at an aggregate level.

Dual running is expensive, but it buys evidence before operators bear the risk. It is the opposite of an overnight fork.

RDAP and WHOIS are the visible surface, not the whole registry

Public lookup services are the easiest functions to replicate. RIR data is already queried through WHOIS and RDAP, and public records can be mirrored for resilience. This makes them a sensible early NRS service, provided the response clearly identifies authority and freshness.

A replica should publish the source serial, snapshot time, authoritative custodian and any delay. It must not imply that NRS has independently validated every public field when it has only copied it. During later stages, responses should show the active provider and bounded dispute status without exposing confidential claims.

The challenge is update authority. A public lookup may be read from either endpoint while only one channel accepts final changes. If NRS begins accepting corrections, the envelope must show who authenticated the request, which evidence was checked, whether AFRINIC approved or delegated the function and when the public state became final.

Availability also needs independent measurement. DNS resolution, HTTPS, RDAP response, WHOIS response, data freshness and consistency should be tested from multiple networks. A provider cannot claim continuity merely because its own monitor sees the service.

Public lookup is valuable because it gives the transition an observable edge. Operators and relying parties can compare responses and identify stale or split state. It is limited public evidence because the hard power lies behind the answer: deciding who may change it.

NRS should use early lookup service to prove transparency while refusing to confuse visibility with authority.

Reverse DNS requires a delegation ceremony

Reverse DNS is often treated as a secondary registry service, but operators depend on it for mail, logging, security controls, troubleshooting and customer systems. Its continuity cannot be inferred from a copied database.

The transition must identify the parent delegations, authoritative name servers, DNSSEC state where applicable, zone-generation systems, account authority, pending changes and emergency rollback. A receiving provider should first serve an identical zone in shadow and prove consistent answers. Delegation changes should use a planned overlap so caches and resolvers do not encounter an avoidable gap.

During limited service, NRS may maintain the existing delegation while high-impact changes remain with AFRINIC or an independent authority. Later, routine updates can move under dual approval. A contested change should not cause the entire reverse zone to disappear. The last verified delegation remains unless security evidence requires narrow protection.

Every cutover should record pre-change and post-change zone state, signatures, parent update, propagation observations and rollback authority. Operators should receive notice and a test window. External monitors should verify continuity across the region and beyond.

The ceremony matters because reverse DNS shows how legal authority reaches running systems. An order to preserve a resource may or may not require freezing its delegation. A transfer may require coordinated movement. A registry service change should not alter the operator's chosen DNS arrangement merely because the provider changed.

NRS proves its bookkeeper discipline when the names keep resolving while the custodian becomes replaceable.

RPKI is the hardest service to move safely

Routing-security infrastructure makes the transition especially sensitive. The NRO's comparative service overview showed AFRINIC offering hosted RPKI while delegated service was not available in the same way as at several peer registries. That means many affected operators depend directly on registry-operated certificate and publication functions rather than controlling a delegated certification authority that could move more independently.

A transition must preserve certificate validity, route origin authorisations, publication availability, account authority and relying-party acceptance. It must avoid two incompatible certificate chains and avoid a break-before-make event that turns valid routes invalid. Key custody, activation authority and revocation power require formal ceremonies with multiple independent entities.

The first phase should replicate repositories and validation state without issuing new entities. The second should prove that the target can recreate publication from signed source state in an isolated environment. The third should establish a make-before-break path recognised by relying parties, with a precise cutover time and rollback. Existing route authorisations should persist unless the holder requests change or a separate, proven security reason requires action.

NRS should make delegated or portable RPKI a long-term design objective because provider substitution is easier when operators control more of their own signing function. Delegation still requires a recognised parent and sound publication, so it does not eliminate governance. It reduces the number of operator decisions that must be reconstructed during provider failure.

RPKI also needs remedy isolation. A membership, billing or policy dispute should not automatically revoke routing-security state. Security compromise may justify immediate protective action, but it should preserve evidence, notify the operator and receive rapid independent review.

Any transition that cannot explain its certificate and revocation chain is not ready, however complete its public database appears.

Transfers and new allocations should move later

Existing-state continuity is safer than creating new rights or recognising permanent changes. NRS should therefore move lookup, authentication support and non-destructive maintenance before transfers, disputed successions or new allocations.

A transfer changes the relationship that the registry must recognise. It requires seller authority, buyer authority, the resource and any applicable conditions to be verified; pending disputes and court restraints must travel; the two custodians must agree when the old state ends and the new state begins. Inter-RIR transfers add another registry and policy interface.

During dual running, AFRINIC should remain final for transfers while NRS processes the same evidence in shadow. Differences reveal whether the target can apply existing rules and preserve the chain. Limited NRS transfer authority should begin with uncontested, well-documented cases under an explicit mandate and independent sampling.

New allocations from available IPv6 or ASN pools create an additional IANA relationship. IANA allocates pools to recognised RIRs under global policy; an NRS custodian cannot simply draw from AFRINIC's inventory because it can operate a database. Pool authority, allocation records and recognition need a formal bridge. During temporary service, NRS could process or technically implement an AFRINIC-authorised decision without claiming the pool as its own.

This ordering protects NRS from mission inflation. Continuity begins with keeping accurate existing relationships usable. Distribution policy and permanent reallocation involve broader authority and should not be smuggled into emergency service.

Contracts, fees and liability must travel explicitly

Operators do not relate to a registry only through public records. They have agreements, membership status, invoices, service expectations, data-protection rights and potential claims. A technical port that leaves these relationships ambiguous will generate disputes at the first adverse event.

During temporary service, the instrument should say whether NRS acts for AFRINIC, as a subcontractor, as an independent emergency provider or under a court direction. It should identify who invoices, where money is held, which terms apply, who receives a complaint, which law governs and who bears loss from an erroneous change.

The safest limited-service model is function-specific. The operator's underlying AFRINIC relationship remains unless lawfully assigned or novated. NRS receives only the authority needed for named services, keeps funds and data segregated, applies the existing rule where lawful and cannot expand the relationship through its own membership terms. Operators receive notice and a concise statement of rights.

Long-term succession may require contract transfer or a new agreement. Consent should be meaningful rather than manufactured by threatening loss of records. The operator should be able to review the terms, preserve existing entitlements and challenge an incorrect envelope before the port becomes final.

Liability should follow control. A custodian that authenticates and executes a change should bear consequences for failing defined controls. An incumbent that supplies incomplete or false state should remain accountable for that contribution. An operator that submits forged evidence should bear appropriate responsibility. Independent review can allocate fault without using service interruption as leverage.

NRS cannot advocate operator freedom while disclaiming every cost of its own error. Limited authority can justify bounded liability; operational power without remedy cannot.

Courts and lawful restraints should become portable

AFRINIC's crisis developed in ordinary Mauritian law. Receivership, company membership, board authority, bank accounts and litigation did not disappear because the company operated Internet infrastructure. An NRS transition must work with lawful authority rather than claim technical exceptionalism.

At the same time, a court order should be translated precisely. Does it restrain disposal of a resource, change of holder, payment of funds, action by a named director or access to a system? Does it require preservation, disclosure or temporary administration? A broad institutional response can damage unrelated operators even when the order is valid.

The continuity envelope should carry the operative restraint, issuing forum, effective date, expiry or review state, parties and exact functions affected. Confidential material can remain sealed while authorised custodians receive the instructions needed to comply. A receiving NRS provider accepts the restraint as part of the port. Portability is not an escape from adjudication.

Conflicting or ambiguous orders require neutral preservation. The target should not choose the legal interpretation that expands its own authority. It preserves the last verified state, seeks directions through the proper parties and protects unaffected services. Independent counsel can advise, but the final technical action and its source should be recorded.

Courts benefit from the architecture because they receive a map. They can distinguish registry lookup, holder change, RPKI, reverse DNS, billing and corporate control rather than ordering a vaguely defined Internet registry to do everything or nothing.

NRS continuity is rule-of-law infrastructure when it makes lawful intervention narrower, more effective and less likely to conscript running networks into a corporate case.

Data protection should not become an excuse for institutional captivity

The envelope contains sensitive material: identity documents, corporate authority, contacts, contracts, security state, payments and disputes. A portable system could create a new concentration risk if every provider received complete files.

NRS should separate public coordination data, restricted operational data and confidential evidence. Public data supports lookup and authority status. Restricted data supports authentication and service. Confidential evidence is disclosed only to authorised reviewers, courts or custodians for a defined decision.

Cryptographic commitments and signed attestations can show that a document existed and was validated without copying the full document to every node. A receiving provider can request targeted access when a change requires it. Access logs should be visible to the operator and independent auditor. Retention should follow purpose and lawful hold, not indefinite institutional appetite.

The data controller and processor roles must be explicit at each state. A mirror used only for recovery has a different purpose from an authoritative service. Operators should know where data is held, which law applies, how to correct it and what happens after return. A custodian that loses its mandate should delete or archive material according to the agreed retention rule and produce evidence of completion.

Privacy cannot justify an opaque transition. Aggregate reconciliation results, service performance, decision reasons and provider failures can be published without exposing personal records. Nor can portability justify uncontrolled copying. The design should collect the minimum evidence necessary to reproduce authority and disclose the minimum necessary to decide a case.

This balance makes the record mobile without making the operator transparent to every institution.

Independent audit is a cutover condition, not a yearly ceremony

Audit should accompany each expansion of NRS authority. A general annual assurance report cannot answer whether a particular migration preserved every pending dispute or whether two RPKI states briefly competed.

Before protected replication, auditors test completeness, signatures, access and restoration. Before dual running, they test semantic mapping and event order. Before limited cutover, they test mandate, notification, credentials, rollback and one-source finality. Before full succession, they test contract treatment, external recognition, financial capacity, security, unresolved exceptions and provider exit.

Auditors should sample difficult records, not only clean ones. Historical gaps, mergers, legacy resources, court restraints, suspended accounts, disputed contacts and pending transfers reveal whether the system preserves uncertainty. Operators should be able to nominate cases without giving the auditor a political mandate.

The assurance report should state what was tested, what was not, error rates, unresolved severity, corrective actions and expiry. A pass should not be permanent. Material software, policy, key or provider changes require renewed testing.

Auditor independence includes economic independence. The receiving provider should not choose and control the only assessor. Funding can come from a pooled continuity reserve with appointment and conflict rules. Reports should be available to AFRINIC, NRS, operators, relevant recognition bodies and competent courts at the level appropriate to each.

Audit becomes useful when it can stop a cutover. If it only describes failures after authority has moved, it is history rather than control.

Activation must be layered and reversible

A continuity plan needs objective triggers. Institutional criticism, poor reputation or political disagreement should not be enough to activate NRS authority. Nor should the plan wait for total outage.

Triggers can be layered. Loss of a public endpoint activates a read-only replica. Loss of staff capacity activates authorised support. Evidence of record compromise freezes destructive changes and begins reconciliation. Inability to authenticate routine updates activates limited verified maintenance. Absence of a lawful decision-maker preserves contested state and invokes independent authority. Persistent inability to provide the function may justify a time-limited substitute. Permanent failure requires recognised succession.

Each trigger should identify evidence, decision-maker, scope, notice, review and expiry. The actor deciding activation should not be the NRS provider that gains revenue or influence from it. Emergency action may precede a full hearing, but review follows quickly and unaffected functions remain stable.

Reversibility requires a rollback state, not merely backups. Every change made by NRS during service should be exported as a signed delta. AFRINIC or another successor should be able to reproduce the complete current state. Pending cases, notices and payments must return with it. Credentials and keys should transition through controlled ceremonies, and obsolete access should be revoked.

Temporary status should have a hard decision point. Before expiry, authorised parties choose return, justified extension or formal succession. Repeated extensions cannot become permanent authority by exhaustion.

An activation design is credible when NRS can enter quickly and leave completely.

A practical six-stage AFRINIC-to-NRS path

The transition can be stated as a concrete sequence.

Stage one is evidence readiness. Define the envelope, map AFRINIC systems, generate signed operator statements, verify backups, classify legal authority and establish independent audit. No public authority moves.

Stage two is protected replication. NRS custodians receive purpose-limited copies, restore them in isolated environments and compare public and private state. Operators correct discrepancies through AFRINIC's authoritative channel. Read-only public resilience may begin with clear source labels.

Stage three is decision shadowing. Both systems process selected requests, but AFRINIC remains final. Differences in evidence, rules, timing and outcome are reported and resolved. RPKI and reverse-DNS rehearsal occurs without production authority.

Stage four is voluntary limited service. Verified operators may choose NRS for named functions under an agreed mandate. Routine contact and support functions move first. Contested rights, new allocations and irreversible acts remain with AFRINIC or an independent authority. One public state remains final.

Stage five is audited functional portability. Qualified providers can receive complete relationships; reverse DNS, RPKI and transfers move only after service-specific assurance. Operators can return or select another custodian. Disputes and lawful restraints follow the record.

Stage six is recognised long-term architecture. If AFRINIC remains capable, it competes as a custodian under common portability duties. If it cannot continue, a formal recognition and succession decision moves remaining functions. NRS governs the standard and assurance layer without necessarily operating every service itself.

The sequence allows improvement without betting the Internet on one irreversible event. Each stage has evidence and a stopping point. NRS grows by proving portability, not by declaring institutional victory.

Success should be measured at the operator boundary

Institutional milestones are inadequate. Signing an agreement, launching a portal, appointing a board or completing a data copy says little about whether an operator remained protected.

The primary measures should include envelope completeness; percentage of records independently reproduced; unresolved exception classes; time to authenticate after cutover; public-data consistency; reverse-DNS error and propagation rates; RPKI object continuity; number and duration of invalidating events; pending requests preserved; notices delivered; challenges resolved; ports completed; rollbacks; unauthorised changes; customer-impacting interruption; and time to export again.

Denominators matter. Five failed ports out of ten are different from five out of ten thousand. A low complaint count may indicate success or fear. Operator-size bands can reveal whether small networks face disproportionate evidence or delay burdens. Disputed cases should be reported separately from clean ports.

NRS should also measure provider discipline: missed export deadlines, incomplete logs, excessive holds, conflicts, security incidents, reversal rates and failure to delete obsolete access. A custodian that repeatedly fails can lose accreditation without threatening the resource relationship.

Financial measures should show the cost of minimum continuity, per-port cost, pooled reserve, emergency draw, audit cost and compensation for provider error. The system should not finance itself through indefinite holds or opaque mandatory fees.

The headline result is simple: did the network retain a reliable, singular and correct registry relationship while the institution changed around it? Everything else is supporting evidence.

The positive NRS case is replaceable administration

The strongest argument for NRS is not that it will make better decisions than every RIR. Any institution can make mistakes, become captured or overstate its mandate. The stronger claim is that no provider should be irreplaceable.

Replaceability changes incentives before a port occurs. AFRINIC would know that record quality, service and remedy affect whether operators remain. NRS custodians would know they must export the same complete envelope they received. Operators would know disagreement need not threaten their network identity. Courts would know continuity can be preserved without keeping a failing corporate arrangement in place forever.

This does not abolish common rules. Uniqueness, authentication, registry accuracy, security assertions, dispute metadata and authoritative-provider state remain common. It removes rules whose main effect is institutional captivity. The common layer becomes thinner because providers can compete in service while sharing the invariants needed for one Internet.

NRS can also separate roles that RIRs often bundle. A standard body defines the envelope. Accredited custodians provide service. Independent auditors test them. Arbiters decide contested ports. A pooled fund supports emergencies. Operators authorise movement. Courts retain lawful power. IANA and recognition bodies maintain the top-level coordination needed for global consistency.

Separation is not complexity for its own sake. It makes conflicts visible. The service provider does not judge its own refusal to export. The advocate does not become the hidden operator. The auditor does not depend on one custodian. The operator does not acquire freedom to fork the record.

This is continuity as institutional engineering: the record survives because every administrator can be replaced under rules that the administrator does not control alone.

The transition should make AFRINIC failure less existential

AFRINIC may recover and provide capable service for years. NRS continuity is still valuable. Insurance is most credible when built before the insured event, and portability improves the incumbent's discipline even when operators stay.

The design should therefore avoid triumphal language. It should not require a verdict that every AFRINIC act was illegitimate. It should not use historical controversy to pre-decide present holder claims. It should not seize a regional identity. It should ask a narrower question: can an operator preserve accurate registration, security and delegation state if the provider cannot or will not serve it under a reviewable rule?

If the answer becomes yes, AFRINIC governance disputes lose some of their all-or-nothing character. A board election no longer determines whether every operator remains captive. A court can isolate a corporate claim. A receiver can preserve and hand back service through a tested route. A member can challenge without threatening customers. External institutions can support records rather than defend institutional immortality.

The transition also gives AFRINIC a constructive role. It can help define the envelope, supply evidence, participate in dual running, retain service through performance and demonstrate that its record is strong enough to port. Cooperation would not be surrender. It would prove confidence in the function the institution exists to provide.

Registry failure becomes manageable when continuity no longer depends on pretending failure is impossible. NRS should be the architecture that makes that honesty safe.

Sources and analytical limits

The public NRS Charter is used for NRS's stated bookkeeper, operator-freedom, transparency and accountability principles. It is advocacy evidence about institutional direction. It is not treated as proof that NRS currently operates an authoritative registry, migration service, RPKI trust chain, reverse-DNS delegation, independent tribunal or recognised successor arrangement.

IANA's number-resources overview, allocation data and 2005 AFRINIC recognition report, together with RFC 7020 and RFC 7249, support the hierarchical registry context, global coordination function and historical transition into AFRINIC. They do not define the proposed NRS service-port model.

ICANN's 7 March 2025 letter and 16 July 2025 letter are used for attributed concerns about preservation, backups, non-public records and registration-data escrow. The letters are institutional positions in a contested setting, not findings that every backup or escrow duty was breached.

The NRO memorandum, Joint RIR Stability Fund, 2022 message to the AFRINIC community, 2024 ICP-2 assessment procedures and draft RIR Governance Document, version 2 support the existing mutual-aid, assessment and proposed continuity context. Draft text is not treated as adopted authority.

The NRO's comparative RPKI service overview supports the stated differences between AFRINIC's hosted service and delegated or transition features reported for other RIRs. It does not prove that the proposed make-before-break arrangement is currently available to AFRINIC holders.

No complete AFRINIC registry export, private customer file, RPKI key inventory, reverse-DNS change history, escrow agreement, NRS technical implementation, operator-port contract, independent conformance report or recognition decision was available in the reviewed public record. The continuity envelope, state machine, six-stage path and metrics are a prospective design. They do not assert that a transfer to NRS is presently authorised or technically ready, and they do not recommend activation without valid legal authority, independent assurance and one clearly recognised authoritative state.