Summary
- A registry living will is a pre-validated plan for preserving critical functions while changing or winding down the institution that supplies them. It is not a disaster-recovery manual, a backup schedule or a promise that current management can solve a future crisis. It must work when directors, staff, banks, suppliers or premises are unavailable and when legal authority is contested.
- The plan should identify critical functions before it identifies systems. For an Internet number registry these include the authoritative holder and resource record, controlled changes to that record, RDAP and legacy WHOIS continuity where still required, reverse-DNS coordination, RPKI certificate and publication continuity, holder authentication, court restraints, evidence preservation and communication. Actual route operation remains with networks.
- Every critical record needs a complete, current, independently verified export that a qualified successor can use. The export must preserve resource extent, holder identity, authority history, restrictions, pending instructions, contacts, public-service fields, cryptographic references and an ordered record of changes. A file that cannot be reconciled and restored is not continuity evidence.
- RPKI transition deserves its own plan. Private keys should not be casually copied to a successor. The living will must state which keys can remain, which authority must be reissued, how publication continues, how manifests and revocations are handled, what relying parties will observe, and how the registry avoids unintentionally invalidating legitimate routes.
- Funding must be available to the continuity function even when the ordinary company is insolvent. A ring-fenced reserve, letter of credit, insurance or mutual facility should cover substitute operation, specialist staff, secure facilities, legal applications, communications and transition. Funds controlled solely by the distressed board or exposed to ordinary creditor claims are not pre-positioned.
- Triggers must cover more than server outage. Loss of lawful governance, inability to pay critical suppliers, court restraint, key compromise, data-integrity failure, insolvency, prolonged quorum failure and refusal to obey binding review can each justify graduated intervention. The trigger, decision-maker, evidence threshold, duration and appeal must be stated in advance.
- Resolution should preserve service without preserving an unfit institution. A temporary operator can maintain critical functions while holders migrate, a successor is selected or a court decides disputed rights. The plan must protect members and resource holders from using continuity as a pretext for permanent external control, secret reassignment or extinguishing legal claims.
A living will is different from ordinary resilience planning
Conventional resilience asks how the same institution restores service after equipment failure, cyberattack, loss of premises or human error. It assumes that the organization remains authorized and can call its staff, spend its money, direct its suppliers and use its credentials. Those assumptions fail in institutional resolution.
A living will begins with the possibility that the organization itself cannot act. Its board may lack quorum. Competing groups may claim office. A court may freeze accounts. An insolvency official may control contracts but lack technical knowledge. A cloud provider may demand payment from an account no one can lawfully access. Senior staff may refuse instructions from a disputed executive. The records may be intact while authority to use them is fractured.
Resolution therefore separates the critical function from the corporate shell. It asks which services must continue, which assets and people support them, which legal rights permit transfer, which liabilities follow, and which institution can lawfully take temporary control. It also asks how the original organization can be restructured, replaced or wound down without converting continuity into an expropriation of holders.
The distinction matters for governance. A backup proves that bits were copied. A failover proves that another machine can answer. A living will proves that a legitimate successor can identify the current truth, operate bounded functions, pay the necessary costs, obey courts, communicate with holders and return or transfer authority under public rules. That is a much higher standard.
Resolution protects functions, not institutional prestige
The Financial Stability Board's Key Attributes seek orderly resolution of financial institutions while maintaining vital economic functions and avoiding taxpayer solvency support. Internet registries are not banks, but the functional logic is powerful. The public interest lies in continuity of the service, not in preserving every shareholder, officeholder, contract or organizational form.
For number governance, the vital function is a coherent and trustworthy account of Internet number-resource authority and the services that depend directly on it. The registry institution is a means to that end. If the institution becomes incapable or unlawful, continuity should not require the Internet community to pretend otherwise.
This functional approach avoids two errors. The first is institutional immunity: claiming that any intervention threatens Internet stability and therefore the current body must remain in control. The second is careless replacement: assuming that because the function matters, an outside actor may seize every asset and rewrite rights without limits.
Resolution authority should be narrow and temporary. It preserves critical services, records evidence, respects applicable court decisions and creates time for a lawful outcome. It does not decide political questions beyond what continuity requires. It should not allocate scarce resources, change holders, alter policy or distribute the failed organization's residual assets unless separately authorized.
The living will must state this purpose plainly. Without it, a continuity plan can become either a shield for failed governors or a charter for a permanent receiver.
The first task is to define the critical functions
Institutions often begin continuity planning with servers and offices because those assets are visible. Resolution should begin with the public functions that cannot safely stop. Systems, staff and contracts are then mapped to those functions.
For an Internet number registry, the critical set includes maintaining one current record of resource extent and recognized holder; accepting or freezing authorized changes; preserving allocation and transfer history; maintaining accurate RDAP and any still-required WHOIS service; coordinating reverse-DNS delegations; preserving RPKI certificate and publication continuity; authenticating holder representatives; applying court restraints; retaining evidence; and communicating status and remedies.
Not every ordinary activity is critical. Conferences, advocacy, training, grants, policy development, certification programmes and optional analytics may be valuable but can pause during acute resolution. New allocations and discretionary transfers may also pause until authority is stable. Defining a minimum service reduces funding need and limits the temporary operator's power.
Criticality has dependencies. RDAP may rely on holder records, redaction rules, referral information, network connectivity and domain names. RPKI may rely on certificate authority keys, hardware devices, publication repositories, rsync or RRDP service, manifests, staff ceremonies and external trust choices. Holder changes may rely on identity evidence and court records.
The living will should map each dependency to an owner, contract, location, substitute and maximum tolerable interruption. If a “critical service” depends on an unnamed employee's memory or a vendor contract that terminates on insolvency, the map has revealed a resolution obstacle rather than a plan.
The authoritative record must be separable from the operator
Continuity fails when an institution treats the resource record as inseparable proprietary property. The record documents relationships that must remain intelligible after the operator changes. Its custody can be protected; its continuity cannot depend on the survival of one company.
The living will should define a canonical export for every resource. It should include the exact address or autonomous system number extent, recognized holder, relevant organizational identity, current service provider, status, allocation or assignment basis, transfer history, restrictions, court orders, public contacts, confidential authority contacts, pending instructions, dispute status, linked reverse-DNS state, RPKI references and signed change receipts.
History matters because a current snapshot cannot explain why an actor has authority. A successor that sees only today's holder name may be unable to distinguish a valid merger from an unauthorized substitution. Ordered events, evidence references and prior versions allow reconstruction without giving the successor permission to revise history.
The export should use open, documented structures and stable identifiers. Proprietary encodings that only the failed operator's software can interpret defeat separability. Human-readable summaries should accompany machine-usable records so courts, holders and administrators can understand the decisive facts.
Separation does not mean publication of confidential material. The plan should define protected custody, access roles and disclosure rules. The objective is usable transfer under lawful authority, not indiscriminate exposure.
Verification makes an export more than a backup
A nightly copy can be complete in storage terms and still be unusable. It may omit recent instructions, contain broken references, rely on unavailable encryption keys or disagree with the state being served publicly. Resolution requires independent verification and restoration, not mere deposit.
Each export should carry a timestamp, coverage statement, integrity digest, signer and prior-version reference. An independent custodian should confirm that all expected resource records are present, that no resource appears twice in conflicting current states, that pending events reconcile, and that public RDAP output can be traced to the same authoritative facts.
Restoration tests should occur regularly into an environment controlled by a qualified substitute. The substitute should demonstrate that it can answer holder and public queries, preserve status, enforce restrictions and produce the same signed state summary. Differences must be explained and corrected before the plan is certified.
Freshness standards should vary by function. A daily full export may be adequate only if accepted changes are also streamed or journaled between deposits. A resource transfer completed minutes before failure cannot disappear because the most recent full copy was made overnight. Conversely, an incomplete pending instruction must not be executed twice after restoration.
The auditor should publish aggregate assurance and material exceptions. It should not reveal holder secrets or exploitable security detail. The decisive public fact is whether a successor can restore a current, complete and coherent account within the promised time.
Data custody needs an independent release mechanism
Escrow is useful only if the release condition, recipient and decryption path work during conflict. A copy held by a vendor that takes instructions solely from the current board may remain inaccessible when board authority is the problem.
The living will should appoint an independent custodian under a tripartite or statutory arrangement. Release can be authorized by a named resolution authority, competent court or another clearly defined body after a stated trigger. The custodian should verify the recipient's identity, preserve an audit trail and release only the material needed for the activated function.
Encryption keys should not be controlled by one party. Split authority can require, for example, a custodian and independent official to act together. Emergency access should be rehearsed. An elegant key-sharing design that has never been executed may fail because a person left office, a token expired or instructions conflict.
The release instrument should survive insolvency, acquisition and termination of the ordinary service contract. Fees for continued custody need pre-positioned funding. Applicable privacy and secrecy duties should follow the material to the temporary operator.
The plan must also address return and destruction. If temporary authority ends, the operator should transfer current records, preserve required evidence and securely remove unnecessary copies under independent verification. Resolution should not create permanent uncontrolled replicas of sensitive holder information.
RPKI continuity cannot be solved by copying private keys
RFC 6480 describes a hierarchy in which resource certificates attest to address and autonomous system number holdings, while Route Origin Authorizations express holder authority for route origin. That architecture means registry failure can affect more than a directory entry. Mishandled certificate or publication authority can change what relying parties consider valid.
The simplest-sounding answer—give the successor every private key—is often the wrong one. Key transfer can violate security design, expose trust across organizational boundaries and leave uncertainty about copies retained by the failed institution. Some keys should remain in controlled hardware under continuing custody; others should be rolled or replaced through an orderly certificate transition.
The living will should inventory every certificate authority key, hardware device, operator role, certificate, manifest, revocation list, repository and publication relationship. It should identify which functions can continue unchanged, which require new credentials and which rely on external issuers or trust anchors.
For each transition, the plan should state the intended relying-party view over time. Old and new material may need a controlled overlap. Revocation must not precede availability of valid replacement entities. Manifest and publication timing must be monitored. A substitute operator should be able to prove that the holder's intended ROAs remain visible and valid.
Most importantly, resolution of the registry should not silently alter routing authorization. Existing holder intentions should be preserved unless a security necessity or lawful instruction requires change. Institutional replacement is not permission to rewrite the routing choices of networks.
Publication service is distinct from certificate authority
RFC 8181 defines a publication protocol for RPKI objects and notes the usefulness of separating the certificate engine from the publication repository. That separation should shape the living will. A registry may fail in its institutional or certificate-authority role while the repository continues, or the repository may fail while authority remains intact.
The plan should map publication repositories, RRDP and rsync endpoints, domain names, certificates, hosting, network paths, monitoring and access credentials. It should identify a substitute publication operator and the legal right to assume the relevant endpoints or establish a controlled successor.
Continuity must include entity freshness and consistency, not merely endpoint availability. A repository serving stale manifests or partial entities can appear online while causing relying-party rejection. The substitute should validate inventory against the last accepted publication events and continue signed entity availability during transition.
DNS control can become a hidden dependency. If repository hostnames are registered through an account controlled by unavailable staff or a distressed affiliate, technical authority may be stranded. Domain registration, DNS hosting and certificate renewal rights should be held in a continuity-ready arrangement with independent recovery contacts.
The living will should establish separate triggers for certificate-authority containment and publication failover. A repository outage need not justify replacing holder certificates. A key compromise may require certificate action even when the repository is healthy. Modular authority prevents an incident in one layer from spreading through every security function.
RDAP and WHOIS continuity preserve public accountability
RDAP is a public accountability service as well as an operational one. Networks, security teams, rights holders, researchers and public authorities use registration information to identify the responsible organization, understand resource status and find an appropriate contact. During institutional failure, uncertainty increases just as reliable public information becomes more important.
The living will should define how RDAP service moves to a substitute endpoint or operator, how bootstrap direction changes, how caches are handled and how response consistency is measured. The successor must preserve stable identifiers and links where possible. It should not force users to understand the failed institution's internal structure.
Legacy WHOIS service may still carry contractual or user expectations in some contexts. Where it remains required, continuity should be included, but the plan should avoid treating two public services as separate truths. Both should derive from the same current holder and resource facts, subject to their respective presentation limits.
Privacy rules must survive resolution. An emergency operator should not disclose confidential contacts because ordinary redaction tools are unavailable. Nor should it hide all information behind a generic failure message. The minimum public service, authorized access route and correction mechanism should be pre-defined.
Correction is especially important during transition. Holders and affected third parties need a visible way to report an inaccurate status or contact. The temporary operator should have bounded authority to correct demonstrable errors while preserving prior state and reasons.
Reverse DNS requires continuity without unauthorized redesign
Reverse-DNS delegations connect address space to names under the special reverse trees. Their administration can depend on registry records and delegated nameserver information. Failure can leave stale delegations, block an authorized change or create uncertainty about who may instruct the parent.
The living will should inventory parent-zone relationships, signing arrangements, delegation contacts, automation credentials and outstanding requests. A substitute operator needs authority to preserve existing delegations and carry out narrowly defined holder-authorized changes.
Continuity should favor stability. The temporary operator should not redesign naming arrangements, consolidate providers or alter delegations merely because it prefers another architecture. Existing valid state should remain unless the holder requests change or a security incident makes preservation unsafe.
DNSSEC dependencies require separate attention. Keys, signing services, parent interactions and emergency rollover arrangements should be mapped. A registry's organizational failure must not lead to an improvised key change without observing validation consequences.
Reverse DNS also illustrates why records alone are limited public evidence. An export can list the current delegation, but restoration may fail if the successor lacks authenticated access to the parent, domain names, signing devices or network service. Resolution planning must connect authority, data and operational access for each critical function.
New allocations and discretionary transfers may need to pause
Continuity does not require every ordinary activity to continue. During acute uncertainty, a temporary operator should preserve current holders and critical services while avoiding decisions that create durable new rights or consume scarce resources.
New allocations can usually pause for a defined period unless a compelling public need requires action. Scarce IPv4 distribution, novel transfer approvals and disputed holder changes involve judgment that may exceed temporary authority. Routine contact corrections, security fixes and service-provider changes can continue if their standards are clear and evidence is strong.
The living will should classify transactions into continue, continue with enhanced review, hold and prohibit. The classification should be based on reversibility, consequence and discretion. A bulk change with low apparent value can still be dangerous if it affects many holders; a high-value event may be safe to preserve if it was fully authorized before activation.
Pending instructions need special treatment. Each should show whether it was received, verified, approved, scheduled or completed. The successor can then finish an accepted act, seek fresh confirmation or cancel it under a public rule. A blank restart would expose holders to duplicate execution or strategic delay.
The temporary pause should have a deadline and review route. Continuity cannot become an excuse to freeze transfer markets or customer exit indefinitely. As authority stabilizes, ordinary service should resume in stages with published reasons.
Funding must be available outside ordinary corporate control
Critical service cannot depend on money that disappears when the institution becomes insolvent. Payroll, secure hosting, specialist vendors, legal applications, custodians, substitute operators, communications and independent review all cost money during the most expensive period.
The living will should calculate a minimum continuity budget for several scenarios and durations. It should distinguish immediate stabilization, temporary operation, holder migration and final transfer. Assumptions about staff, transaction volume, infrastructure and legal cost should be tested rather than hidden in one aggregate figure.
Funding can take several forms: a ring-fenced cash reserve, an independently drawable letter of credit, an insurance arrangement, a mutual continuity fund or a levy-backed facility. The right form depends on law and scale. The essential properties are availability after a trigger, protection from ordinary managerial obstruction, clear permitted uses and accountability for expenditure.
ICANN's continued-operations instrument for certain new generic top-level domains offers a useful comparison: it was designed to ensure funding for critical registry functions if an operator encounters trouble. Number registries need their own duration and scope, but the principle is directly relevant.
Funds should not automatically rescue shareholders or satisfy unrelated creditors. They preserve the public function. Any public or mutual support should have repayment rights against available institutional assets where law permits. Transparency should show opening resources, draws, recipients, remaining coverage and expected duration without exposing security-sensitive details.
Staff continuity requires named roles and substitute capability
Institutions frequently depend on a small number of people who understand historical records, key ceremonies, unusual holder arrangements or relationships with external operators. A plan that lists job titles without testing substitute performance overstates resilience.
The living will should identify critical roles, required knowledge, access privileges, legal duties, location constraints and minimum staffing. At least two qualified people should cover each high-consequence function, with conflicts and separation-of-duty requirements preserved. Succession should include contractors and advisors, not only employees.
Employment and consulting arrangements should anticipate resolution. Staff may need to serve a temporary operator, remain with the original organization or transfer for a limited period. Retention payments can be legitimate when transparent and tied to critical work, but they should not reward governors for creating the crisis.
Knowledge must be externalized into current operational materials, authority maps, contact lists and rehearsals. A substitute team should perform critical tasks without informal coaching from the incumbent. Where that is impossible, the dependency should be reported as a resolvability defect and corrected.
Professional duties continue during conflict. Staff need a protected route to report integrity problems and conflicting instructions. They should know which authority prevails after activation and receive legal protection for obeying a valid continuity order. Ambiguity at the moment of crisis invites both paralysis and abuse.
Vendors and cloud services can become hidden veto holders
A registry may own its policy authority while renting nearly every operational dependency: cloud computing, network transit, monitoring, identity service, hardware support, office access, payment services, communication tools and specialist security. Each contract can create a termination right or access barrier during insolvency.
The plan should list every supplier supporting a critical function, the contracting legal entity, payment terms, data location, subcontractors, access credentials, termination clauses, assignment rights and substitute. Contracts should permit continued service for a bounded resolution period and lawful assignment to a temporary operator where possible.
The Federal Reserve's resolution guidance for large financial institutions emphasizes mapping critical shared services and using service agreements that do not automatically end during resolution. The scale differs, but the lesson is exact: shared services must remain available when the corporate relationship around them changes.
Cloud accounts should not rely on one executive's email address or personal device. Administrative roles, recovery contacts, billing authority and export rights should be independently controlled and rehearsed. The registry should know how long a complete transfer would take and which functions can run on a substitute platform.
Vendor concentration should appear in the public assurance summary. A registry that uses redundant applications on one provider in one legal account has not created institutional redundancy. Resolution planning examines failure domains, not product counts.
Legal-entity mapping exposes where authority is trapped
An organization may place staff in one entity, intellectual property in another, contracts in a third and cash at the parent. During ordinary operation the group appears unified. In insolvency or litigation, legal boundaries become decisive.
The living will should map each critical function to the legal entity that owns or controls its people, contracts, data rights, equipment, funds, insurance and intellectual property. Intercompany services should have written terms that survive activation and can be continued or replaced.
This mapping may reveal that the registry function is not separable. Essential software may be licensed only to a parent that can terminate access. Staff may work for an affiliate with no duty to support continuity. Trademarks may be irrelevant, while domain names and signing authority are trapped in another entity.
The remedy is not necessarily corporate simplification. It is sufficient separability: clear rights, assignment options, paid-up continuity licenses, independent access and funded service periods. The temporary operator should obtain what it needs without acquiring unrelated businesses.
Ownership changes also matter. A sale of the registry company should not defeat continuity instruments or quietly move critical assets outside reach. Material changes to group structure, key vendors or intellectual property should trigger an update and possibly fresh resolvability assessment.
Triggers must cover governance and legal failure
Server outage is only one trigger and often the easiest to observe. A registry may continue serving data while no lawful board can authorize changes, while funds are inaccessible, while records are being manipulated or while a court dispute makes every instruction contestable.
The living will should define graduated triggers across operational, financial, governance, legal and integrity conditions. Examples include prolonged critical-service failure; inability to pay essential suppliers; insolvency filing; court appointment of an administrator; loss of board quorum beyond a stated period; competing claims to executive authority; verified key compromise; material record inconsistency; failure of escrow deposits; and refusal to obey binding correction orders.
Each trigger needs an evidence threshold, decision-maker, permitted action, duration and review. A low-level warning can require enhanced reporting and a funding draw test. A higher level can freeze new discretionary changes. The highest level can transfer defined critical functions to the temporary operator.
Triggers should combine objective measures with bounded judgment. Purely automatic rules can be gamed or activate on harmless anomalies. Pure discretion invites political intervention. A documented threshold plus independent confirmation offers a better balance.
The triggering institution must publish reasons promptly, with confidential security detail removed. Affected holders and the registry should have a rapid challenge route, but urgent protective action may remain in force while facts are reviewed.
The resolution authority must be independent and constrained
Someone must decide that the trigger is met, instruct the custodian, draw continuity funds and appoint the temporary operator. Giving that power to the failing board defeats the plan. Giving it without limits to a competitor or political body creates another legitimacy problem.
NRS should establish an independent resolution authority or panel with technical, legal, financial and holder-representation competence. Members should have fixed terms, conflict rules, removal protection and no current provider role. Emergency decisions can be made by a smaller quorum, followed by prompt full review.
Its powers should be enumerated. It may preserve records, freeze specified changes, activate substitute service, direct escrow release, draw ring-fenced funds, maintain public information, protect RPKI continuity and seek court orders. It may not permanently reallocate resources, rewrite policy, extinguish ownership claims or award a territorial monopoly.
The authority should owe duties to continuity, accuracy, proportionality, rights preservation and transparency. It should keep signed reasons and a complete account of every act. Independent audit and court review should remain available.
Temporary power must expire. Each activation should have a maximum period, review points and a route to restoration, transfer or another lawful disposition. An emergency institution that can renew itself indefinitely has converted failure planning into constitutional replacement.
Substitute operators must qualify before a crisis
Selecting an emergency operator after failure wastes time and invites favoritism. The living will should identify a pool of pre-qualified operators that have demonstrated technical capability, financial resilience, security, independence and willingness to act under bounded authority.
ICANN's Emergency Back-end Registry Operator model is instructive. For covered generic top-level domains, designated providers can be activated to maintain five critical registry functions, including DNS resolution, shared registration, registration-data service, escrow deposits and DNSSEC-signed zones. The scope is limited and temporary rather than a full takeover of every business service.
Number-registry substitutes need different capabilities. They must understand address and autonomous system number records, RDAP, reverse DNS, RPKI, holder authentication, transfer evidence and regional legal conditions. Qualification should include successful restoration from current exports and a timed rehearsal of critical service.
No single substitute should become a universal dependency. A pool permits conflict avoidance and capacity distribution. The resolution authority should select according to published criteria, including independence from disputed parties and absence of commercial incentive to retain entities.
The temporary operator's compensation, liability, data duties and end obligations should be agreed in advance. It should not market unrelated services to captive holders during activation. At the end it must support holder choice, transfer current state and surrender temporary privileges.
Courts are part of continuity, not an external inconvenience
Internet institutions sometimes treat courts as unpredictable threats to technical stability. A living will should instead prepare for lawful judicial involvement. Insolvency, employment, contract, property and governance disputes will be decided under applicable law whether the technical community plans for them or not.
The registry should maintain a current legal map: incorporation, governing instruments, asset locations, key contracts, secured claims, relevant regulatory duties, recognized dispute forums and routes for urgent relief. Counsel and technical witnesses should be pre-identified without giving one law firm exclusive control of evidence.
Continuity instruments should be written so a judge can understand the critical functions, public consequences, bounded powers and available safeguards. Human-readable state summaries and independently verified restoration results are more persuasive than claims that intervention will “break the Internet.”
The plan should anticipate stays and conflicting orders. A court restraint affecting payment may require access to ring-fenced funds. An ownership dispute may justify freezing holder change while public RDAP and RPKI services continue. An insolvency official may need authority to assign contracts without deciding resource rights.
External review protects legitimacy. The resolution authority can act urgently, but a competent court should be able to examine legality, evidence and proportionality. Continuity is stronger when it can survive judicial scrutiny rather than depending on institutional exceptionalism.
Cross-border continuity needs pre-agreed cooperation
Internet number registries serve organizations across borders, rely on global technical services and may hold assets in multiple jurisdictions. A continuity order effective in the place of incorporation may not control a foreign cloud account, custodian, bank, employee or domain registrar.
The living will should identify every jurisdiction material to critical functions and explain what recognition is needed. Cooperation agreements can establish contacts, evidence-sharing rules, confidentiality, emergency notification and expectations for preserving service. They cannot override mandatory law, but they can reduce surprise.
The Financial Stability Board's framework includes cross-border cooperation because uncoordinated national action can fragment a global institution. Number governance faces a related risk. Two authorities could each claim the right to direct the same registry function, causing conflicting instructions to custodians and suppliers.
The plan should identify a lead resolution forum while preserving local court rights. It should state how conflicts are escalated and which actions remain safe during disagreement. Serving the last verified public record may be safer than accepting new changes until authority is clarified.
Data protection and secrecy law also follow jurisdiction. Transfers to a substitute operator need a lawful basis, access limits and records. Cross-border continuity should move only what each function requires, not every internal record by default.
Communications must work when ordinary channels are compromised
Silence during institutional failure encourages rumor, social engineering and conflicting claims. Holders need to know whether records remain authoritative, which functions continue, whether changes are paused, who can give instructions and where to challenge an error.
The living will should maintain independent communication channels: a continuity website or status domain, signed notices, verified contact lists and relationships with relevant network coordination bodies. Control of those channels must not rest solely with the failed institution's staff or accounts.
Messages should be role-specific. Holders need current service status, allowed actions, credential guidance and remedy. Routing operators need accurate information about RPKI and public endpoints without being told that registration resolution changes BGP policy. Suppliers need valid payment and instruction authority. Courts and public bodies need concise evidence of critical functions and safeguards.
Pre-drafted messages can save time, but they must contain fields for the actual trigger, scope, evidence, effective time and next review. Generic reassurance without facts can be worse than silence.
Communication is two-way. Holders should confirm critical contacts in advance and have an out-of-band route for reporting unauthorized changes. The temporary operator should publish a regular status cadence until ordinary authority resumes. Every update should distinguish verified fact, current uncertainty and next decision.
Member and holder rights must survive emergency authority
Resolution can preserve service while damaging legitimacy if members and holders lose all voice. Emergency authority should narrow participation only to the extent necessary for urgent continuity and restore ordinary governance as soon as practical.
Members should receive the public reasons for activation, aggregate financial use, service status and timetable. A representative committee can observe without directing individual technical acts. Conflicted officeholders should not use membership votes to reverse urgent containment of their own conduct.
Resource holders need stronger individual rights: preservation of current resource status, access to their records, correction, notice of material change, voluntary provider migration where safe, and a hearing before an adverse holder determination. Resolution should not convert registration service into ownership by the temporary operator.
The plan should protect minorities. A majority vote cannot authorize confiscation of a disputed holder's resource or conceal evidence. Conversely, a small group should not be able to stop continuity by preventing quorum. Pre-agreed emergency governance closes that gap.
At the end of activation, members and holders should receive a final account of actions, unresolved disputes, funds used, records transferred and authority surrendered. Accountability after the event is part of the legitimacy of acting quickly during it.
Resolution should offer more than one end state
Failure planning becomes brittle when it assumes one outcome. A registry may recover after temporary stabilization, transfer functions to a successor, divide service among qualified providers, enter long-term restructuring or wind down after holders migrate.
The living will should prepare several strategies. Restoration returns authority to the original institution after governance, finance or security defects are cured. Transfer moves the whole critical function to an approved successor. Bridge operation maintains a temporary institution while a lawful selection occurs. Holder migration allows each resource holder to choose among qualified NRS providers while the common authority preserves uniqueness. Orderly wind-down ends the failed provider after every critical relationship moves.
Selection depends on facts. A short supplier outage may justify restoration. Persistent governance illegitimacy may make restoration unsafe. A coherent regional institution with recoverable finances may merit restructuring, while a portable service market may favor holder migration.
No end state should be chosen solely because it benefits the temporary operator, incumbent peers or creditors. The resolution authority should compare continuity, legal feasibility, cost, holder choice, concentration and time. Reasons must be public and reviewable.
Optionality is valuable only when prepared. Naming five strategies without contracts, funding, exports and qualified recipients produces paper choice. Each credible end state needs an executable path and periodic rehearsal.
Rehearsals are the evidence that the living will is alive
Financial institutions submit resolution plans because description alone does not prove capability. Internet registries should adopt the same skepticism. A living will becomes stale as people, systems, suppliers, keys, law and organizational structure change.
At least annually, the registry and substitute should restore the full critical record, operate RDAP in an isolated but realistic setting, validate reverse-DNS authority, execute a controlled RPKI transition exercise, draw a nominal amount from the continuity instrument, activate communications and convene the resolution authority.
The rehearsal should include adverse conditions: unavailable executives, a failed vendor, a stale escrow deposit, a disputed pending transfer, inconsistent public output and a court restraint. Entities should not know every inject in advance. The purpose is to reveal dependencies, not stage a demonstration.
Independent observers should time each function, record manual intervention, identify missing authority and verify final reconciliation. Findings need owners and deadlines. Material unresolved defects should limit new high-consequence activity or require additional funding.
Some results should be public: functions exercised, time to restore, major weakness categories, overdue remediation and current assurance. Security-sensitive details can remain restricted. A registry asking the Internet to trust its continuity should provide more than an assertion that an exercise occurred.
Public and confidential versions serve different needs
A living will contains material that cannot be fully public: private contacts, security architecture, key arrangements, vendor pricing, legal strategy and protected holder evidence. Secrecy about everything, however, prevents members and holders from judging whether continuity authority is real and limited.
The public version should identify critical functions, governance triggers, resolution authority, substitute-qualification rules, funding structure, holder rights, high-level restoration results, maximum interruption targets, end-state options and review findings. It should explain what the temporary operator may and may not do.
The confidential annexes can hold asset inventories, credentials, detailed dependency maps, legal opinions, security findings and individual records. Access should be role-based, logged and periodically reviewed. The fact that an annex exists should not be mistaken for proof that it is complete.
Auditors should attest to usability without revealing protected contents. Where material exceptions exist, the public statement should describe their consequence and remediation date. “Confidential” should not conceal that no qualified substitute can restore the service.
Version history matters. Members and authorities should know when the plan was last updated, what material changes occurred and whether a rehearsal covered them. A living will signed years earlier by people who have left is an archive, not a continuity capability.
Resolvability assessment should change present behavior
The value of a living will lies partly in what it reveals before failure. If a critical function cannot be transferred because software is proprietary, keys are concentrated, funds are trapped or law is unclear, the institution should reduce that obstacle while healthy.
The resolution authority should conduct periodic resolvability assessments and assign findings by severity. A minor documentation gap can have a deadline. A missing substitute for a critical function may limit expansion. An inability to export authoritative records or preserve RPKI validity should trigger immediate remediation and enhanced oversight.
Assessment should include concentration and complexity created by current decisions. Acquiring a new service, moving to one cloud provider, changing legal entities or centralizing key custody can make resolution harder even if ordinary efficiency improves. Major changes should include a continuity impact statement.
The authority should possess proportionate powers to require improvement: updated exports, revised contracts, additional funding, duplicate expertise, narrower privileges or a focused rehearsal. It should not wait for failure to discover that every safeguard depended on voluntary cooperation.
Present discipline is the constitutional benefit of planning for failure. Governors make different choices when they know records must be separable, reasons must survive scrutiny and another qualified institution must be able to continue the function.
Common failure modes create false comfort
Several artifacts can look like a living will while providing little protection. A generic business-continuity document assumes current management remains in charge. A cloud backup ignores legal access and authority. A vendor list omits subcontractors and termination rights. A named substitute has never restored current records. A cash reserve remains in an account frozen with ordinary assets.
Another false comfort is the heroic employee. If continuity depends on one engineer, lawyer or executive acting correctly during conflict, the plan has personalized institutional authority. The person may be unavailable, conflicted or legally unable to act.
Static exports create another weakness. A complete monthly copy can miss decisive recent changes. Without an ordered journal and reconciliation, freshness cannot be recovered. Similarly, a technically successful RPKI exercise may ignore what independent relying parties observed.
Overbroad emergency power is also a defect. A plan that allows an external body to “take all necessary action” may appear flexible but creates legal uncertainty and political resistance. Enumerated, severable powers are more likely to survive challenge.
Finally, a plan can fail through optimism. If every scenario assumes cooperative directors, solvent vendors, uncontested court authority and accurate records, the document rehearses recovery from inconvenience rather than resolution of institutional failure.
A seventy-two-hour illustration makes dependencies visible
Imagine that a court finds the registry's board appointment invalid while a separate creditor obtains a restraint over ordinary accounts. Public services remain online, but no undisputed executive can authorize payments or high-consequence changes. The living will's governance and funding triggers activate.
In the first hours, the resolution panel confirms the orders, freezes new allocations and disputed holder transfers, preserves routine public service, instructs the custodian to lock the latest verified export and draws the first tranche of continuity funds. It publishes a signed notice identifying functions that continue and those temporarily held.
The substitute operator receives bounded access, verifies resource counts and current-state integrity, confirms RDAP output, checks reverse-DNS dependencies and compares RPKI publication with multiple relying-party views. Existing valid state remains. No private key is copied merely because management authority is unclear.
Within the first day, critical suppliers receive valid payment assurances and instruction authority. Holders receive role-specific notices and an emergency correction route. Pending changes are classified by status. The panel applies to the competent court for recognition of temporary powers where needed.
By the third day, the authority publishes reconciliation results, residual uncertainties, funding coverage and the next review. It decides whether limited ordinary changes can resume while the court resolves governance. This illustration shows why records, money, law, communications and cryptographic authority must be prepared together. None alone produces continuity.
NRS can make provider failure smaller than registry failure
A portable NRS model offers an advantage unavailable to a territorial monopoly. If one registration-service provider fails, willing holders can move to other qualified providers while a common authority preserves one current state. The entire region need not wait for institutional reconstruction.
That advantage does not eliminate resolution planning. The common coordinator itself needs a living will, and each provider needs a proportionate plan. The coordinator's plan emphasizes authoritative state, provider pointers, shared interfaces, court restraints and succession. A provider's plan emphasizes customer records, evidence, credentials, optional RDAP or RPKI services, funds and holder migration.
Portability must be usable under stress. The receiving provider should be able to accept a verified continuity transfer without cooperation from failed management. Objection grounds should be narrow, credentials pre-arranged and state changes serialized. Holders should not have to prove a new allocation merely to restore service.
Concentration still matters. If every provider depends on one custodian, one cloud platform or one RPKI publication service, nominal plurality masks a shared failure domain. The Society should assess common dependencies across plans.
The goal is not an institution that can never fail. It is a structure in which failure of one institution does not erase records, trap holders or grant emergency actors unlimited authority.
The living will is an account of limited power under stress
Resolution planning is often presented as operational housekeeping. For an Internet registry, it is constitutional design. It determines who can act when ordinary authority fails, which facts remain protected, whose rights survive, how long emergency power lasts and whether an institution can be replaced without fragmenting the public function.
A credible plan begins with critical functions and maps every dependency. It keeps complete, verified and restorable records outside the sole control of current management. It treats RDAP, reverse DNS and RPKI as distinct services with distinct transition risks. It places funds where insolvency cannot make them useless. It qualifies substitutes, prepares courts, protects staff and gives holders direct information and remedy.
The plan also limits itself. Temporary operators preserve rather than reallocate. Resolution authorities act on published triggers, give reasons, face review and surrender power. New allocation and disputed transfer can pause while existing holder and routing intentions remain intact. Public continuity does not justify permanent institutional immunity or permanent emergency control.
The strongest evidence is rehearsal. If a successor has never restored the records, if a nominal fund has never been drawn, if a key transition has never been observed by relying parties, or if the court basis has never been tested by independent counsel, the living will is aspirational.
Internet number governance should not wait for the next crisis to discover these facts. A registry worthy of durable authority should be able to explain, demonstrate and finance how its function continues after it no longer can. That is not an admission of expected failure. It is proof that the institution understands the difference between stewardship of a critical service and ownership of its users' dependence.
Evidence and further reading
- Financial Stability Board Key Attributes of Effective Resolution Regimes — the international standard emphasizing orderly resolution, continuity of vital functions, safeguards, funding, cooperation, resolvability assessment and planning.
- Financial Stability Board guidance on operational continuity in resolution — official guidance on preserving critical shared services when an institution enters resolution.
- Federal Reserve full resolution-plan information requirements — official requirements for mapping critical operations, legal entities, funding, systems, interconnections and dependencies.
- Federal Reserve guidance on resolution plans — official guidance on liquidity, governance, critical shared services, contract continuity and separability.
- Ofgem memorandum on Energy Supply Company Administration — an official public-utility comparison centered on uninterrupted essential service and coordinated special administration.
- Ofgem explanation of protection when energy firms collapse — official description of supplier-of-last-resort transfer and special administration when ordinary supplier failure occurs.
- IANA Number Resources — the official description of global coordination for IP addresses and autonomous system numbers.
- RFC 6480: An Infrastructure to Support Secure Internet Routing — the IETF architecture for resource certificates, Route Origin Authorizations, trust anchors and repositories.
- RFC 8181: A Publication Protocol for the RPKI — the standards-track protocol separating RPKI publication actions from repository operation.
- ICANN Emergency Back-end Registry Operator programme — an operational comparison identifying critical domain-registry functions and pre-qualified temporary providers.
- ICANN Continued Operations Instrument — an official example of pre-positioned financial resources for continuity of critical registry functions.

