Summary

  • AFRINIC's own reports separated deregistration, reversal, consolidation, quarantine, continued due diligence and disputed custodianship, revealing that “recovery” described several legally and operationally different acts rather than one self-proving remedy.
  • A current registry entry could not establish a clean right if the entry itself might have been manipulated; a defensible decision required historical allocation evidence, authenticated change records, corporate succession documents, payment and contract context, routing history and tested claims from every affected party.
  • Notice had to reach more than the name visible in WHOIS. Transfer intermediaries, current operators, customers, routing and security administrators, original organisations and lawful successors could each hold different evidence and face different consequences.
  • Good faith could not convert an unauthorised act into valid registry authority by assertion alone, but it should affect procedure, reliance protection, transition time and the allocation of loss where a holder paid value without knowing that the recorded chain was defective.
  • Continuity required a reversible disputed status, preservation of current routing support where safe, a bar on further disposition, independent decision and staged correction; abrupt deletion risked exporting AFRINIC's control failure to unrelated networks.

“Recover” concealed the question that had to be decided

Institutions reach for the language of recovery because it suggests a return to order. Something was taken; the institution identifies it; the institution takes it back. That sequence is emotionally clear and administratively attractive. It was a poor description of the problem AFRINIC confronted after suspicious alterations to its number-resource records came to light in 2019.

An Internet address block is not a warehouse entity that can be carried back through a gate. AFRINIC's published registration agreement says number resources are not property, even while granting members an exclusive right of use within contractual and policy conditions. The registry maintains administrative records and related services. Operators elsewhere decide whether to route traffic. Customers may depend on addresses assigned or made available through a member. Security systems, reverse DNS, allowlists, certificates and hosted services may all have been built around the visible resource state.

Changing the registry record can therefore correct one layer while destabilising another. If the apparent holder never had legitimate authority, leaving the record untouched perpetuates the corruption. If AFRINIC deletes the record immediately, networks that relied on it may lose administrative support or encounter routing and security consequences before they can move. If the original organisation no longer exists, “return” does not identify a recipient. If two successors claim the same historical holder, the old entry does not decide between them.

AFRINIC's 2021 WHOIS accuracy report reflected this complexity despite its confident institutional language. It described resources as reclaimed, reversed, consolidated, quarantined, pending due diligence and under dispute pending determination of rightful custodianship. Those verbs did not denote stages of one automatic action. They represented different conclusions about authority and different levels of evidential confidence.

The unanswered question was not simply how many addresses could be recovered. It was: what decision rule could establish the legitimate administrative position, protect parties who had relied on AFRINIC's records without knowledge of corruption, and preserve service while that rule was applied? Public statements gave fragments of an answer. They did not provide a complete, independently reviewable recovery constitution.

The institution's own record could not authenticate itself

The first evidential difficulty was circularity. AFRINIC was investigating manipulation of information held in its registry. A current WHOIS entry showed what the system said after the suspected changes; it could not prove that the changes were authorised. An old entry showed an earlier state; it could not alone establish that no legitimate corporate succession or authorised update occurred later. The record under challenge was evidence, but it was not a verdict.

The 2021 report accordingly drew on a larger set of material: internal registry history, organisation and contact data, maintainers, member and resource requests, tickets, delegated statistics, service use, predecessor-registry records, other RIR data, corporate information and submissions from parties. That approach was directionally right because authority had to be reconstructed from multiple independent traces.

Each trace answered a limited question. An original allocation document could show the organisation first recognised. A corporate registry could show a name change, merger, dissolution or director, but not necessarily a valid transfer of number-resource use. An AFRINIC ticket could show that someone requested a change, but authentication and authority still had to be tested. Payment could show a commercial transaction, not that the seller possessed transferable authority. Routing history could show operational use, not lawful custodianship.

Control of a domain or email address could show present access while saying little about how access was obtained.

The evidential chain therefore needed positive links. Who was first recorded, under what regime and from which predecessor record? What happened to that organisation? Who requested each material change? How was the requester authenticated? What documents were supplied? Which AFRINIC officer approved the action, under which rule and with what conflict check? Did the system change match the approved request? Did the purported recipient later sell, lease, delegate or assign use? Which downstream party paid value, and what representations did it receive?

A break in the chain should not be filled by confidence. It should produce a disputed status and a defined burden of further proof. AFRINIC's difficulty was institutional: it was at once the custodian of incomplete records, the victim claiming unauthorised alteration, the investigator reconstructing the history and the administrator able to change the visible result. That concentration made independent review essential even when the underlying suspicion was strong.

Pool space and legacy space posed different recovery problems

AFRINIC's reports divided the affected population into space taken from its available pool and space already carrying legacy status. The distinction is foundational.

Pool space was part of the inventory AFRINIC administered for allocation under regional policy. If records were altered to make unallocated pool space appear legitimately delegated, the central question was whether any authorised allocation had occurred. A complete absence of an application, need evaluation and approval would be powerful evidence that the apparent holder never acquired a valid right from AFRINIC. Deregistration and quarantine could then restore the pool, subject to notice, evidence preservation and downstream continuity.

Legacy space came from an earlier era. AFRINIC's report explained that such records migrated from predecessor arrangements and that legacy-only holders generally had no contract with AFRINIC. The organisation still maintained relevant registry data and services, but the legal and historical basis differed from an AFRINIC-issued allocation. Some original organisations had changed names, merged, become dormant or disappeared. Contacts could be obsolete. Documentary evidence might predate current corporate registries or digital retention.

For legacy space, an unexplained update did not necessarily mean the address block belonged in AFRINIC's available pool. The first task was to identify the legitimate historical holder or successor. Reversing a suspicious contact or organisation change might restore the last trustworthy state, but that state could still be commercially or corporately obsolete. Reclamation for new allocation would require a distinct authority, not merely proof that a recent change was unsubstantiated.

The 2021 report's categories show the problem. Some legacy addresses were consolidated at the request of a holding company, some changes were reversed, and a substantial population remained disputed or pending a custodianship determination. A single “stolen addresses” narrative could not explain why those outcomes differed. Governance required a reasoned decision for each chain.

AFRINIC's January 2020 notice was a useful beginning, not a complete procedure

In January 2020 AFRINIC told its community that it was examining resources, confirming old information and giving the current holder or contact an opportunity to prove its claim. It listed possible actions: deregistration, modification of organisation and resource records, movement to an original holder, locking records pending vetting and twelve months of quarantine. It also reported that fifteen prefixes amounting to one million IPv4 addresses had been deregistered by 30 January.

The statement recognised due process in outline. It acknowledged that old information required confirmation, that the current recorded party should be heard, and that responses could differ. Locking and quarantine were especially important because they created a pause between suspicion and irreversible reuse.

But “opportunity to prove” leaves critical questions open. What notice address was used when the contact field itself might be compromised? How long did the party have? What documents counted? Could an affected operator inspect the evidence against its chain? Who decided disputed authenticity? Was there an appeal before deletion or only after? Did the decision distinguish the person who initiated an unauthorised change from a later business that paid value? What continuity assessment preceded deregistration?

The public statement also used the language of ownership even though the registry's contractual materials deny that number resources are property. That verbal ambiguity matters. A claimant may possess a contractual right of use, historical custodianship, corporate succession, operational control, a customer delegation or merely a record entry. Calling each position ownership obscures the legal basis AFRINIC is actually recognising.

A recovery code should define the interest being decided. It should say whether the institution is correcting its own allocation record, recognising a successor, terminating a member's contractual right, reversing an unauthorised update, or returning unallocated inventory to quarantine. Precision prevents a technical administrator from appearing to adjudicate property rights the governing instruments do not create.

Notice had to follow the dependency chain, not just WHOIS

The name in a registry record is an obvious notice recipient, but it is not necessarily the only affected party or even the person best able to explain the chain. A disputed block may involve an original holder, a corporate successor, an intermediary, a member that arranged customer use, the network announcing the route, hosting providers, security contacts, customers and public services addressed from the space.

These actors do not hold identical rights. A customer generally cannot prove the original allocation merely by showing that it receives service. An operator announcing a route may do so for a client. An intermediary's purchase agreement may reveal representations but not validate the seller's authority. Yet each may possess relevant evidence, and each may need time to reduce harm if the administrative basis fails.

Notice should therefore be layered. The registry should contact all historical and current authenticated contacts, corporate addresses and known claimants. It should notify the member account connected to the block, relevant routing-security administrators and any party already identified in tickets or legal submissions. Where direct customer identities are not known, the recorded operator should be required to relay a standard continuity notice without disclosing sensitive customer data publicly.

The notice should identify the block, the nature of the questioned link, the interim restrictions, the evidence sought, the response deadline, the decision-maker and the review route. It should avoid stating contested fraud as a concluded fact. A party can be told that an allocation approval is missing or a change credential appears unauthorised without being publicly branded dishonest before the evidence is tested.

Delivery needs proof. Email to a compromised or dead address is not meaningful notice. Multiple channels, corporate service, portal notification and documented receipt are appropriate for high-impact cases. If a party cannot be reached, the registry should record the attempts and apply an interim status long enough for public operational notice before any reuse.

Good faith affects remedy even when it does not cure authority

The hardest case is the downstream acquirer that paid value, received apparently plausible records and did not know that an earlier link was unauthorised. Treating that party exactly like the initiator of manipulation is morally satisfying only if one ignores the institution's role in maintaining the record on which the transaction relied.

Good faith cannot be a magic transfer policy. If the governing contract and policy did not permit a seller to transfer the right, a buyer's honest belief may not create authority that the seller lacked. Recognising every recorded downstream claim would reward whoever moved fastest after corruption and would make registry integrity contingent on private sales.

But the opposite rule is also defective. Immediate deletion without hearing, transition or differentiation places the entire cost of AFRINIC's control failure on a party that may have been deceived. It can harm that party's customers, who may be still further removed. It also reduces incentives to disclose documents: a holder expecting automatic loss may litigate or conceal rather than cooperate.

Good-faith protection should therefore operate through procedure and remedy. The downstream party receives notice, access to the basis of the challenge, a chance to submit transaction and diligence evidence, and an independent decision. If the chain is defective, the party may receive a bounded transition period, continued read-only or security support, and coordination for renumbering. Its evidence can support claims against the seller or other responsible actor. Deliberate concealment, forged records or continued disposition after notice should remove those protections.

The diligence standard should be realistic for the date of the transaction. Did the acquirer verify the seller's identity and authority? Did it obtain AFRINIC confirmation where available? Did the price or structure signal abnormal risk? Did it inspect the contract and policy then in force? Did it understand that number resources were not freely transferable property? A sophisticated broker and an end customer should not be judged by identical expectations.

The institution needed a holder classification, not a moral binary

Recovery decisions become clearer when affected parties are classified by evidence and conduct rather than divided into thief and victim. At least six positions may exist.

The first is the original legitimate holder whose record was altered without authority. Its claim is to restoration or recognition of a lawful successor, subject to current evidence. The second is a lawful successor after merger, acquisition or reorganisation whose documentation was never properly reflected. Its problem is record correction, not recovery from wrongdoing.

The third is a direct entity in an unauthorised alteration or disposition. It receives due notice but no reliance protection for conduct it knew was defective. The fourth is a downstream acquirer that knew, or ignored obvious evidence, that the seller lacked authority. It may not deserve a transition beyond what is necessary to protect unrelated users.

The fifth is a good-faith downstream operator that paid value and relied on apparently official records. Its chain may still fail, but the institution should mitigate avoidable collateral harm and preserve evidence for recourse. The sixth is an end user or customer with no role in acquiring the block. Its interests are continuity, notice and time to move, not recognition as the resource holder.

There may also be public-service dependencies. A block could support healthcare, government, communications or other services whose users cannot be reached individually. That does not validate the holder's chain. It changes the transition plan. The recovery decision should separate entitlement from the timetable and method by which the operational state is corrected.

Classification protects fairness in both directions. It prevents a culpable actor from hiding among customers and prevents customers from being treated as culpable because they happen to route through the disputed space. It also gives AFRINIC a consistent vocabulary for public reporting without publishing allegations that have not been adjudicated.

Quarantine should protect evidence and scarcity, not merely wait out a calendar

AFRINIC said deregistered pool resources would be quarantined for twelve months before possible return to the available pool. A cooling-off period is prudent. It reduces the risk that a block is reissued while claims or stale routing continue. It also gives operators time to remove dependencies and reputation systems time to adjust.

Twelve months, however, is a duration rather than a release test. A resource should leave quarantine only when the evidential decision is final within the institution's review structure, applicable court restraints are checked, route and security dependencies are measured, stale records are addressed, abuse and reputation risks are assessed, and the technical systems can issue a clean chain to a new recipient.

The quarantine state should preserve history. Deleting a WHOIS entry must not delete the evidence of who changed it, which contacts were notified, what routes existed or which claims were made. Public presentation can indicate that the resource is under administrative hold without naming unproved wrongdoers. Internal and sealed records should retain the complete chain.

Quarantine also needs a stop rule. AFRINIC should not reallocate a block simply because the scheduled date arrived while litigation, a credible successor claim or a missing decision remains unresolved. Conversely, indefinite quarantine should not become a substitute for deciding. Each extension should state the unresolved question, responsible decision-maker and next review date.

Scarcity creates pressure to release addresses quickly. That is precisely why release authority must be independent of allocation targets. A registry that benefits institutionally from returning space to its pool should not let the same operational team determine disputed custodianship and approve reuse without review.

Registry correction and routing continuity are separate levers

RFC 7020 describes the Internet numbers registry system as a hierarchy that records allocations and assignments while recognising that network operators make routing decisions. This separation is useful during recovery. AFRINIC can alter registration and related services, but it does not directly command every router. Conversely, leaving a route visible does not establish legitimate registration.

The recovery plan should map the levers individually: WHOIS or RDAP registration, member-portal access, reverse DNS, Internet Routing Registry entities, resource certification, delegated statistics, transfer handling and public status. Some can be frozen against further change while existing service continues. Others may need correction immediately because they amplify unauthorised control.

A reversible disputed state is often better than binary deletion during the hearing period. The record can prevent changes, transfers and new security authorisations while preserving enough existing information for operators to understand the status. Affected parties can be required to maintain contacts and cooperate with transition. Emergency abuse response can continue under logged supervision.

Resource certification deserves particular care. Revoking or altering certificates and route-origin authorisations may affect routing-security validation. The correct action depends on the current certification state and operational use. The institution should not promise that every registry correction will automatically disconnect a network, nor should it pretend that technical security services are irrelevant. It should publish a continuity impact assessment for each high-risk remedy.

The final correction can then be staged: prevent further disposition, settle the administrative claim, notify operators, move dependent services, revoke or replace credentials, update records and monitor residual announcements. Staging is not indulgence. It is how the registry avoids turning its own historic weakness into a sudden outage for parties that cannot cure the original defect.

Litigation was evidence that the procedure lacked accepted legitimacy

AFRINIC's 2021 annual report said cases brought by Afri Holdings and LogicWeb resulted from reclamation after the misappropriation investigation. Its public case list records applications and later procedural outcomes. The existence of litigation does not prove that AFRINIC's conclusion was wrong; a sound decision can be challenged. Nor does withdrawal or dismissal of an interim application necessarily decide the underlying chain on its merits.

The cases do show that recovery had moved beyond an internal correction. Parties claimed interests substantial enough to seek judicial restraint, and the operational state could not be treated as uncontested. Once that happens, the quality of notice, evidence preservation, reasons and interim safeguards becomes central. A court can assess a decision far more effectively when the institution has created a complete record rather than a retrospective narrative.

Legitimacy is not achieved by avoiding lawsuits. It is achieved when the same facts, categories and decision rule would be used regardless of the claimant's influence, nationality or public reputation. A published procedure narrows the dispute. Parties can contest authenticity, succession, good faith or remedy without having to guess which unstated standard AFRINIC applied.

Independent review can also resolve many cases before court. A panel with legal, registry and operational competence can inspect protected evidence, hear claimants and issue reasoned findings. Its members should have no role in the original allocation, disputed change or planned reuse. Review should suspend irreversible action where the claim is credible, while preserving safeguards against further disposition.

Court access remains essential. The registry should identify which decisions are administrative, what contractual appeal exists and when judicial relief may be sought. It should not describe an interim procedural victory as a definitive validation of every factual allegation. Precision about what a ruling decided is part of recovery integrity.

The burden of proof should move with demonstrated facts

A fair procedure does not place the entire burden on one side from beginning to end. AFRINIC should first identify a specific defect: missing allocation approval, unauthorised credential use, conflict evidence, inconsistency with predecessor records or an unsupported holder change. A general statement that an address appears suspicious is limited public evidence for a severe remedy.

Once AFRINIC establishes a documented break, the current claimant should explain the link it relies on. It may provide corporate succession, signed agreements, invoices, correspondence, registry confirmations, identity records and technical history. The institution should test authenticity and disclose material contradictions. Where two parties make plausible claims, neither should control further changes until independent determination.

The standard should reflect consequence. A temporary lock intended to preserve evidence may require a credible risk, provided existing operations remain protected. Deregistration, loss of services or reuse by a new member requires stronger proof and completed review. Public accusation of fraud requires stronger care still and may depend on an appropriate legal finding.

Negative evidence must be handled honestly. A missing ticket is important when the process required one and retention was reliable. It is less decisive where records from the period are known to be incomplete. Silence from a defunct company is not consent. A route observed for years is evidence of use, not necessarily authority. The written decision should explain how each absence was weighted.

This burden structure protects the registry from impossible proof while preventing it from relying on the corruption of its own records as a reason to make the current holder prove everything from nothing. AFRINIC created and maintained the system. Where its control failure destroyed evidence, the resulting uncertainty should influence remedy and reliance protection.

Recovery required an account of loss, not just an address count

Public reporting concentrated naturally on the number of IPv4 addresses reclaimed, reversed or disputed. Counts communicate scale, especially in a scarce market. They do not show who bore the loss.

A complete recovery account would distinguish addresses returned to quarantine, records restored to original holders, successor claims recognised, downstream businesses required to renumber, customers transitioned, routes still observed, disputes unresolved and compensation claims pending. It would report notice success, average decision time, appeal outcomes and whether any block was reissued.

Financial incidence matters too. If a good-faith operator paid an intermediary, recovery may leave it with a claim that is difficult to enforce. If AFRINIC's control failure made the transaction appear legitimate, members may ask whether insurance, settlement or another remedy is appropriate. The registry should not decide private damages through technical records, but it should preserve evidence and identify the responsible avenues.

The account should also show continuity incidents. Did any correction interrupt reverse DNS, routing security, customer access or abuse response? Were transition plans completed? How many urgent exceptions were granted and why? Reporting these outcomes improves the next decision and deters both exaggerated catastrophe claims and complacent assertions that a registry edit has no external effect.

Institutional learning depends on connecting cause to cost. If weak authentication enabled a change, remediation should show the control and its test. If stale legacy contacts prolonged the dispute, the registry should report progress on verified contact maintenance. Recovery is complete only when the same evidential break is less likely to recur.

Restoration should not create an unexamined windfall

The word original carries moral force, but it is not always the end of the inquiry. A historical organisation may have ceased trading, transferred its business lawfully, merged into another entity or abandoned practical use long before a suspicious record change. Its name in an old registry snapshot is strong evidence of the starting state, not automatic proof that the same legal person should receive every present service without further examination.

Restoration must therefore test continuity on both sides of the disputed change. AFRINIC should verify the original allocation, then verify the claimant's succession from the original holder. A familiar company name can survive while the legal entity changes. A parent company may control a former holder without owning every right the subsidiary possessed. A liquidator, purchaser of business assets or successor created by statute may each have different authority. Registry staff should not infer succession from branding or management overlap.

The same caution applies to inactivity. A block that appeared unused or had stale contacts was vulnerable to abuse, but inactivity did not itself authorise appropriation. Nor does later discovery that the original holder had no immediate operational plan necessarily entitle AFRINIC to make the block available. The institution needs a valid recovery or termination basis under the regime that governs that resource, particularly for legacy space without an ordinary registration agreement.

Where restoration is justified, the recipient should still complete current identity and security checks before receiving change authority. Reinstating an obsolete email address or compromised maintainer would reproduce the original vulnerability. Historical recognition and present authentication are separate steps. The record can acknowledge continuity while requiring modern contacts, multi-person approval and a documented incident-response path.

No party should receive more from correction than the evidence supports. A restored holder gains the administrative position it can prove, not a judicial declaration of property ownership from a registry technician. A good-faith downstream operator gains transition protection, not a permanent right created by sympathy. AFRINIC regains unallocated pool space where the chain proves it was never validly issued, not every disputed legacy block that lacks an active claimant. These boundaries make recovery credible because they deny windfalls to all sides.

A decision matrix could separate evidence from operational urgency

The recovery panel should decide two axes independently. The first is evidential confidence: confirmed valid chain, confirmed break, competing credible claims or limited public evidence evidence. The second is continuity consequence: low, manageable with notice, severe but reducible, or immediate safety and security risk. Combining them produces more disciplined interim action.

A confirmed break with low continuity consequence can move relatively quickly to correction after review. A confirmed break supporting many active customers still requires correction, but implementation should include a bounded migration period and supervised service. Competing credible claims justify a lock, evidence preservation and neutral maintenance; they do not justify allocating the block to whichever party has the louder public campaign. Limited public evidence evidence with no active use may support quarantine, whereas limited public evidence evidence with substantial use requires a longer protected determination.

Urgent harmful activity is a separate consideration. Abuse associated with addresses may require immediate network, law-enforcement or provider response, but it does not by itself prove which historical claimant owns the administrative chain. The panel should isolate the urgent measure from the custodianship decision. Otherwise allegations about content or customers can become a shortcut around proof of entitlement.

Every cell in the matrix should specify permitted actions. A lock may prohibit holder changes, transfers, new route-authorisation entities or deletion while allowing contact with security staff. A migration status may preserve existing reverse DNS for a fixed period but bar expansion. A quarantine may withhold reallocation and publish a neutral status. The design removes improvisation without preventing case-specific judgment.

The matrix also improves equality. Parties with similar evidence and dependencies receive similar interim treatment. Departures must be reasoned and recorded. Members can audit aggregate use of each category without seeing confidential documents. Courts can identify whether AFRINIC followed its own standard and whether the chosen measure was proportionate to both proof and risk.

Most importantly, the matrix prevents operational urgency from silently deciding legitimacy. A network may be large, commercially important or politically connected; those facts affect transition but not the validity of an unauthorised chain. An original holder may appear sympathetic; that affects neither corporate succession nor the historical record. Separating the axes is the institutional discipline that the simple language of taking addresses back could never supply.

A clean recovery code would have made AFRINIC stronger

The code should begin with classification. Is the case suspected pool misappropriation, disputed legacy custodianship, unauthorised record alteration, contractual breach, corporate succession or permitted transfer? Each category has a different legal basis, evidence set and remedy. Combining them under “reclamation” invites arbitrary treatment.

Second comes preservation and interim control. Capture tamper-evident histories, freeze non-essential changes, prevent transfer or reuse, maintain necessary operations and identify every known claimant and dependency. The interim status should be reversible and subject to a short review.

Third comes notice and evidence exchange. AFRINIC states the precise defect and evidence; claimants answer; protected information is handled confidentially; and affected operators submit continuity needs without gaining the power to decide entitlement. A published timetable prevents drift.

Fourth comes independent determination. Reasons should identify the governing contract or historical basis, facts found, credibility judgments, good-faith classification, continuity assessment and chosen remedy. An appeal body should be able to inspect the complete record. Irreversible action waits for review unless immediate harm makes delay impossible.

Fifth comes staged implementation and public accountability. The registry coordinates renumbering or service transition, corrects each administrative layer, monitors routing and security effects, holds recovered pool space until release tests pass, and reports aggregate outcomes to members.

Such a code would not guarantee agreement. It would make disagreement legible. AFRINIC could defend a correction by showing a stable rule rather than asking the community to trust its institutional status. Claimants could be heard without converting temporary reliance into permanent authority. Operators could protect users without deciding disputed rights through route announcements.

The hardest truth is that integrity and reliance can conflict

Registry integrity says an unauthorised chain should not remain authoritative merely because time has passed. Reliance says institutions must account for people who organised legitimate activity around the institution's visible records. Both principles are valid, and neither can erase the other.

AFRINIC could not resolve the conflict cleanly because the original control failure allowed administrative appearance, commercial dealing and operational use to separate from proven authority. By 2019, correction was not restoration to an uncontested yesterday. It was a choice among incomplete histories and present dependencies.

The right response was not paralysis. It was disciplined sequencing: prove the break, preserve the state, hear the chain, classify good faith, decide independently, protect unrelated users and only then implement the least disruptive effective correction. Where proof remained genuinely balanced, the record should say so and a court or agreed adjudicator should determine the contested right.

This approach does not reward corruption. It makes corruption harder to profit from because further disposition stops immediately and known entities receive no reliance protection. It also prevents the registry from externalising all consequences of its own failure onto the most remote operators and customers.

The measure of recovery is therefore not the largest number returned to a pool. It is whether the resulting registry state is better evidenced, more legitimate and operationally safer than the state it replaced. AFRINIC's published categories showed that it understood parts of this problem. The absence of a complete public decision code left the central question exposed: who should bear the risk when the keeper of the record can no longer rely on the record it kept?

Sources and evidentiary boundaries

AFRINIC's WHOIS Database Accuracy Report is the main source for the categories and quantities the institution reported, its distinction between pool and legacy space, the evidence it consulted and the cases it left pending. The report's labels are treated as institutional findings, not final judgments against every current holder.

The January 2020 resource update records AFRINIC's promise to hear current holders, the corrective actions it contemplated, the twelve-month quarantine and the first million addresses it said it deregistered. The August 2020 CEO statement provides a later account of investigation, holder contact, reversal and due diligence.

AFRINIC's 2021 Annual Report establishes that litigation involving Afri Holdings and LogicWeb arose from reclamation decisions, while the public court case list is used only for the existence and procedural status of listed matters. Neither source is treated as proving the merits of disputed custodianship.

RFC 7020 supplies the neutral architectural distinction between number registration and routing operations. It supports continuity analysis but does not determine AFRINIC's legal authority, private contractual rights or the outcome of any Mauritian proceeding.