Summary

  • Regional portability creates a hard design question: how can a holder move number-resource service between qualified registrars while the Internet still sees one current status for each IP range or AS number? The answer is a thin IANA-facing ledger that records signed status commitments and rejects overlap.
  • The competitive layer should be registrar service: holder support, evidence review, RDAP publication, RPKI custody options, reverse-DNS coordination, financing records, customer notices, dispute support and migration assistance. The non-competitive layer should be uniqueness, public status, conflict detection, event ordering and auditability.
  • IANA's existing IPv4, IPv6, AS-number and RDAP bootstrap registries already show the principle that a global record can point to responsible services without containing every customer file. A portability-era ledger would extend that principle from regional allocation blocks to current status commitments and service-provider assignments.
  • Number Resource Society's positive contribution is to argue that portability and uniqueness are not enemies. If the root ledger is narrow enough and the registrar layer is competitive enough, holders gain exit while the Internet keeps one coherent record.

Portability needs a thinner root, not a thicker ruler

The strongest objection to regional portability is simple: if a network can move its number-resource registration service away from the region where the resource first sat, what prevents duplicate records? A prefix cannot be cleanly active in two incompatible registries. An AS number cannot have two current controllers for the same purpose. If portability means every registrar maintains its own final truth, the result is not accountability. It is fragmentation.

The answer is not to abandon portability. It is to separate the root of uniqueness from the service market. The IANA-facing layer should be a thin global ledger that records one status commitment for each resource interval or AS-number range. That layer does not need to store every customer document, decide every commercial dispute, set prices, judge business purpose or approve routing. It needs to reject overlap, order events, identify the qualified registrar responsible for customer service, preserve history, expose dispute status and make external audit possible.

The registrar layer can then compete. A number registrar can serve holders better or worse. It can provide faster support, better evidence handling, clearer fee schedules, stronger RPKI options, smoother reverse-DNS coordination, better dispute assistance, stronger lender documentation or more effective customer-notice tooling. If the holder dislikes the registrar, the holder can move service without asking the old registrar to bless the exit. The root ledger records the move once.

This architecture is positive for NRS because it answers two fears at once. Holders fear being trapped by a regional monopoly whose governance, legal environment or service quality they cannot escape. Operators and relying parties fear duplicate allocation and routing confusion. A root status ledger gives the second group a non-negotiable invariant. Registrar portability gives the first group a practical exit.

The design also protects IANA. A portability-era IANA does not become a world property court or capital-market supervisor. It maintains the narrow common record needed for global uniqueness and service discovery. The more that record tries to decide, the more pressure it attracts. The thinner it remains, the more durable it becomes.

The current IANA record already teaches restraint

IANA's present number-resource pages are restrained. The IANA Number Resources page says IANA is responsible for global coordination of IP addressing systems and AS numbers, allocates pools of unallocated addresses to RIRs according to global policy, documents protocol assignments, and does not ordinarily allocate directly to ISPs or end users. The page lists the five RIRs and points to registries for IPv4, IPv6 and AS numbers.

The public IPv4 Address Space registry is a root view. It records /8-level designations, status, whois and RDAP pointers, and whether space is allocated, reserved or legacy. It does not contain every downstream contract or customer file. It is valuable because it anchors a common map from global address space to responsible registry services.

The IPv6 Global Unicast Address Space registry works in the same restrained spirit. It records prefixes, designations, dates, WHOIS, RDAP and status. The AS Numbers registry records ranges assigned by RIRs and pointers to relevant services. These registries prove that a global ledger can be authoritative without being encyclopedic.

The portability problem asks for a finer status layer, not a different philosophy. Today, large regional blocks point to RIRs. After regional portability, the global ledger would need to record the qualified registrar responsible for a particular current resource status, possibly at more-specific intervals and AS-number ranges. That is a narrower claim than storing every contract. It is a stronger claim than a private supplemental directory. It is the root commitment that no other registrar may contradict.

This is why the word ledger is useful. A ledger is not a manifesto and not a customer-relationship system. It records events that change recognized state. It preserves order. It detects incompatible entries. It allows reconstruction. A portability-era IANA ledger should do those things and resist becoming an all-purpose governance forum.

A status commitment is not a customer file

The most important data discipline is the difference between a status commitment and a customer file. A status commitment says that a defined resource interval or AS-number range has a current recognized state, a responsible registrar, a holder identity reference, an event class, a time, a dispute flag if any, and links to public service endpoints. It may also include cryptographic commitments to protected evidence. It does not need to publish commercial price, invoices, board papers, financing covenants, customer lists or sensitive identity documents.

This distinction protects privacy and competition. Registrars can compete on evidence review, customer service and optional products without handing every business file to a global root. Holders can prove continuity to lenders, clouds, upstreams and auditors without exposing confidential terms to the world. The root ledger can still support audit because protected evidence can be committed by hash, reviewed under authority and linked to reason categories.

Status commitments should be structured around event classes. Examples include current holder confirmation, qualified registrar assignment, registrar move pending, registrar move complete, holder transfer pending, holder transfer complete, dispute noted, court or competent-authority hold noted, emergency operator active, returned resource, reserved resource, legacy status confirmed and correction completed. Each event class should have a public meaning and a defined effect.

The ledger should not hide uncertainty. If a transfer is disputed, the public state should say so. If a court order freezes a change, the ledger should show a hold category without publishing protected filings. If a registrar is under emergency operation, the ledger should show the temporary service provider and the expected review or handback route. If a correction replaced an error, the prior record should remain historically visible, with the correction reason.

A thin status commitment therefore does more than a conventional public register. It gives relying parties the state they need while preventing the root from becoming a dossier of private business. It is narrow enough to scale and strong enough to prevent contradiction.

Duplicate allocation is an interval problem before it is a political problem

Duplicate allocation sounds like a constitutional crisis, but the first test is mathematical. Does the proposed status event overlap an already current status event? Does a more-specific interval conflict with a covering interval? Does an AS-number range intersect an existing range? Is a returned or reserved range being activated by the wrong party? Is a legacy block being claimed without continuity evidence? These questions can be tested before any political argument begins.

The portability-era ledger should enforce interval rules with mechanical severity. A registrar should not be able to submit a current holder status for an interval that overlaps another current holder status unless the event is a recognized split, aggregation, correction, transfer or dispute notation under defined rules. The same applies to AS-number ranges. The root should reject contradictions automatically and publish the rejection category.

That does not mean every conflict is simple. Two parties may provide plausible evidence. A court may freeze an event after a transfer has been signed but before registrar move completion. A corporate successor may inherit some resources while a divested business receives others. A legacy holder may have old records that do not fit modern contract categories. The ledger cannot resolve every substantive question instantly. It can prevent the conflict from becoming two clean current records.

Conflict states should be explicit. The ledger can say that a resource is under dispute, that a pending event is paused, that no duplicate current allocation has been accepted, and that a qualified reviewer or adjudicatory route is handling protected evidence. Relying parties then know the difference between a clean record and a contested one. Silence is more dangerous than dispute notation.

This is where NRS's anti-patronage thesis becomes technically grounded. An incumbent registrar should not be able to suppress portability by refusing to cooperate while keeping the root ambiguous. A new registrar should not be able to force portability by signing a contradictory clean record. The ledger should accept only events that fit the interval rules and evidence classes. That makes uniqueness a shared invariant rather than a weapon.

Registrars should compete above the invariant layer

Once the root rejects duplicate current state, competition can move to the right place. Qualified number registrars can compete on the services holders actually experience. One may offer better multilingual support. Another may specialize in IPv4 transfers and lender evidence. Another may support smaller ISPs with lower fixed costs. Another may offer stronger delegated RPKI tooling. Another may be trusted for emergency continuity or insolvency-sensitive cases.

Competition should not include the right to create duplicate status. A registrar wins by serving the holder and passing the root tests, not by promising easier recognition of dubious claims. If a registrar becomes careless, the root ledger and external auditors should detect rejection rates, conflict incidents, stale endpoints, security problems and holder complaints. Qualification can then be limited, suspended or revoked by function.

This model resembles the discipline operators already understand. Many services can compete around the Internet while sharing protocol invariants. Transit providers compete without redefining IP packet structure. Certificate authorities compete inside browser or application trust rules but are subject to audits and incident disclosure. DNS registrars compete in a system where the domain-name registry remains the authoritative record for a name. The analogy is imperfect for numbers, but the separation of invariant and service is familiar.

For number resources, registrar competition should be especially disciplined because scarcity makes records financially consequential. A registrar may be tempted to win customers by promising faster approvals, less evidence, looser dispute handling or silence around problematic history. A proof-based qualification regime should make those promises expensive. The registrar that cannot explain its approvals should lose reliance.

NRS can position itself as a registrar, an assurance body, a portability advocate or a standards convener only if it keeps this separation clear. The positive claim is not that NRS should be the new central master. It is that holders should be able to choose qualified service without compromising the one-resource-one-current-status rule.

RDAP shows how a root can point without owning every answer

RDAP is not a complete answer to portability, but it is an important clue. RFC 9224 explains how clients can find the authoritative RDAP service for a domain, address or AS number through IANA bootstrap data. For IP address space, it uses longest-match logic to choose the relevant base RDAP URL. This is a public discovery layer that points to the service responsible for answering structured queries.

A portability-era root ledger can learn from that design. The root does not need to serve every RDAP response itself. It needs to identify the current qualified service endpoints and make their authority or supplemental status clear. If a holder moves from one registrar to another, the ledger can update the responsible service pointer while retaining historical evidence. If more-specific intervals are served by different registrars, longest-match logic and conflict controls can prevent ambiguity.

The lesson also cuts the other way. RDAP bootstrap alone is not enough. A service pointer can be accurate while the underlying record is disputed. A registrar endpoint can be reachable while a holder transfer is contested. A query can return clean JSON while protected evidence is weak. The status ledger must therefore record event class, dispute state and registrar qualification, not merely a URL.

RDAP also highlights transition risk. Clients cache data. Tools handle errors differently. Some users still rely on WHOIS, internal mirrors or vendor databases. A registrar move may therefore leave stale public evidence for days or weeks. The ledger should expose old and new service states during a defined transition period and publish enough time metadata for relying parties to distinguish current state from stale copies.

NRS can add value by making portability visible in public discovery rather than hidden in bilateral notices. If a holder moves registrar service, customers should not have to guess whether a changed RDAP endpoint is a takeover, a transfer, an outage or an authorized service move. The root status commitment should tell them the class of change.

RPKI and reverse DNS must move with guardrails

The root ledger is not enough if RPKI and reverse DNS break during portability. Many operators care less about the philosophical status of a registry than about whether their routes validate, their reverse-DNS delegation works, their abuse contacts remain reachable and their customers can pass cloud and security checks. A clean holder move that disrupts these dependencies will be judged as a failure.

RPKI creates special care because resource certificates attest to allocations and ROAs can be used to build route filters. RFC 6480 describes how resource certificates bind public keys to IP addresses or AS numbers and how ROAs support route-origin authorization. If portability changes the registrar responsible for certification support, the change must not create accidental invalidity or silent key capture.

A portability-era ledger should not itself issue every ROA. It should record the status that lets relying services understand who is responsible for the registration relationship and whether a certification transition is pending, complete, paused or disputed. Registrars should support hosted and delegated RPKI options, key rollover, emergency cure periods, stale-entity detection and clear holder choice. The ledger should record enough status to prevent a registrar from using RPKI custody as a hidden exit barrier.

Reverse DNS needs a similar boundary. Parent-zone delegation involves recognized infrastructure and cannot be moved merely because a private party signs a demand. But a registrar move should not leave the holder without a visible path for reverse-DNS continuity. The ledger can record which registrar coordinates delegation service, whether a change is pending, whether old name servers remain in a grace period, and whether the reverse-DNS component is disputed.

The point is not to make every dependent service part of the root ledger. It is to ensure that portability has guardrails. A holder move should carry a dependency checklist: RDAP, RPKI, reverse DNS, abuse contacts, public status, customer notice, stale-data warnings and rollback. A registrar that cannot handle those dependencies should not be qualified for live portability.

Transfers and registrar moves need different locks

A holder transfer and a registrar move are different events. A transfer changes who controls or is recognized for the resource. A registrar move changes the service provider that maintains or publishes the record for the holder. Confusing the two creates avoidable risk. A bad actor could disguise a transfer as a service move. An incumbent could disguise refusal of service portability as concern over ownership. A lender could misunderstand a registrar change as collateral impairment.

The IANA ledger should therefore use different locks. A transfer lock should protect against unauthorized change of holder status. It should require seller or predecessor authority, buyer or successor identity, protected transaction evidence, dispute checks and completion conditions. A registrar-move lock should protect against unauthorized service-provider change. It should require holder instruction, receiving registrar qualification, outgoing service notice, dependency transition and rollback timing.

The locks should be visible without overexposing private terms. The public status can say "registrar move pending" or "holder transfer pending" with timestamps, responsible registrar and dispute flag. It does not need to disclose price or contract details. If a court or competent authority pauses the event, the ledger should say the class of pause and the public effect.

Different locks also improve audit. A disputed transfer can be analyzed as a chain of authority and transaction evidence. A disputed registrar move can be analyzed as holder instruction and service continuity. The evidence is different. The remedy is different. The impact on customers is different. A thin ledger that separates the events gives auditors and relying parties better signals.

This is a direct improvement over regional lock-in. In the old model, a holder may have to keep registrar service with the same institution that reviews a transfer or dispute. That institution can become both recordkeeper and practical gatekeeper. A portability model lets service move unless a defined lock applies. That is the difference between protecting uniqueness and protecting an office.

Legacy space and IPv6 should not be afterthoughts

Any portability ledger that works only for clean recent allocations will fail the real Internet. Legacy IPv4 records, recovered address space, old corporate histories, national registry traces, mergers, provider-independent IPv6, AS-number changes and partial reallocations all create edge cases. The root ledger must handle them without either erasing history or freezing holders in place forever.

Legacy IPv4 is the hardest because evidence may predate modern agreements. The IANA IPv4 registry still marks many /8s or portions as legacy or administered by current registries. A portability-era ledger should not pretend that every legacy claim has the same proof file as a modern RIR allocation. It should classify evidence type, age, continuity, dispute status and responsible service provider. It should allow stronger proof over time without rewriting the original history.

IPv6 should not be treated as free from governance risk merely because the address space is large. IPv6 allocations still depend on accurate registration, routing authorization, reverse DNS, customer procurement and operational continuity. Regional portability for IPv6 may not carry the same scarcity price as IPv4, but it carries the same dependency on coherent public state. A ledger that only protects scarce IPv4 would recreate fragmentation in the next layer.

AS numbers also need careful treatment. The IANA AS Numbers registry records ranges assigned by RIRs and points to relevant services. ASNs are small identifiers with high routing significance. A registrar move for an ASN should preserve abuse contact, routing identity evidence, RPKI-related material where applicable and customer-facing continuity. Duplicate current AS-number status would be as unacceptable as duplicate address status.

NRS can strengthen its positive case by embracing these difficult classes. A real portability service does not cherry-pick the cleanest resources. It documents uncertainty, accepts different evidence types, rejects overlap and gives holders a route to improve their proof. That is how a ledger becomes more accurate over time without becoming punitive.

Emergency continuity should be visible and temporary

Regional portability is partly an ordinary service-choice reform and partly an emergency-safety reform. A holder should be able to leave a poor registrar in normal times. A community should also have a way to preserve service if a registrar or RIR cannot operate. The two cases should be connected but not identical.

The draft NRO governance text discusses emergency continuity when an RIR cannot adequately provide services to its region and allows temporary arrangements involving other RIRs and ICANN. A portability-era ledger can make such arrangements safer by recording the emergency operator, affected resource set, start time, authority basis, service limits, review date and handback condition. Emergency service should not become an unreviewed takeover.

NRS should support the same principle. If NRS or another qualified registrar fails, the holder's records should not disappear with the institution. Escrow, witnessed checkpoints, evidence export, successor selection and limited emergency operation should allow another qualified registrar to serve the holder while the failure is reviewed. The root ledger should record the emergency state so relying parties know they are seeing temporary continuity rather than a commercial transfer.

Emergency continuity must also protect holders from opportunism. A crisis is the easiest moment for a powerful institution to expand authority. The root ledger should require a narrow affected set, stated reason, time limit, independent review and handback or transition decision. A temporary operator should preserve records and services, not adjudicate unrelated policy disputes or rewrite rights.

This is where the IANA ledger can keep portability from becoming chaos. In normal times, it records registrar choice. In crisis, it records a bounded temporary service state. In both, it rejects duplicate current allocation. A thin root is not weak if it controls the right invariant.

Audit and monitoring turn the ledger into public infrastructure

A ledger that no one can audit is only a database with a grand name. The IANA portability ledger should be designed for monitors, auditors and holders. Monitors can check public commitments, service pointers, time order, interval overlap and consistency. Auditors can review protected evidence under authority. Holders can export their own event history and prove continuity to customers or lenders.

Transparency-log ideas can help. RFC 9162 defines signed tree heads, inclusion proofs and consistency proofs for append-only logs. A numbering ledger would need its own rules, but the monitoring lesson is powerful: public commitments become more valuable when independent parties compare them and detect incompatible histories. A root ledger should not depend solely on the operator saying it has one view.

Audit should include negative events. Rejected submissions, overlap conflicts, disputed claims, emergency holds, stale endpoints, registrar qualification failures and corrected errors are all evidence of institutional health. A system that only publishes clean completions hides the denominator. If a registrar submits many rejected changes, relying parties should know the category. If a root operator delays many status updates, the service needs scrutiny.

Holders need their own records. A portability right is incomplete if the holder cannot carry event receipts, protected evidence references, public status history and dependency notices to another registrar. Export should be standard, verifiable and usable by auditors. It should survive institutional failure. It should not require public disclosure of every confidential document.

The positive NRS thesis becomes stronger when audit is treated as customer infrastructure. A holder choosing a registrar is not just choosing a help desk. It is choosing the quality of evidence that will be used in transfers, finance, procurement, cloud onboarding, dispute response and emergency service. Registrar competition should therefore be competition in verifiable records.

The anti-fragmentation promise

The anti-fragmentation promise is simple: portability must not create duplicate allocation. It should reduce institutional lock-in while strengthening the global record. That promise is credible only if every portability event passes through a root status commitment that can reject overlap and preserve history.

This is why a root ledger is different from a federated rumor network. Registrars may hold rich files. They may sign receipts. They may maintain customer dashboards, private evidence vaults and support histories. But the public Internet needs a final current-state signal. If two registrars disagree, the root ledger must show disagreement, not choose silence or publish both as clean.

The promise also limits IANA. IANA should not use the root ledger to decide whether a holder's business model is desirable, whether a price was too high, whether an address block is morally idle, or whether a network should announce a route. Those questions belong to contracts, courts, markets, operators and policy bodies where relevant. The root protects uniqueness and status, not every public-interest claim that can be attached to a scarce resource.

That limit is good for NRS too. If NRS wants a world where holders can leave failing registries, it should not design a root that becomes impossible to leave. The root should be replaceable by defined successor arrangements, externally monitored and constrained by public standards. The registrar layer should be plural. The holder's records should be portable. The whole point is to protect the ledger, not the gatekeeper.

In that sense, regional portability is not a threat to IANA's uniqueness function. It is a demand that uniqueness be expressed more cleanly. Instead of using region as a proxy for control, the system can use a global root commitment for current status and qualified registrars for service. Region may still matter for law, language, outreach and policy. It should not be the holder's prison.

Registrar qualification is a continuing condition

The registrar layer cannot be a one-time club. A qualified number registrar should remain qualified only while it proves the capabilities that the root ledger relies on. That means continuing tests for security, service availability, evidence review, conflict handling, customer notice, RPKI transition support, reverse-DNS coordination, protected evidence custody, audit cooperation and export. Qualification should decay if those capabilities decay.

Continuing qualification solves a problem that older recognition models often create. Once a regional registry is recognized, loss of status becomes so disruptive that the system hesitates to use it. The practical consequence is that recognition can become permanent even when performance worsens. A modular registrar model can be less brittle. A registrar might keep ordinary RDAP service qualification while losing authority to process high-risk holder transfers. Another might keep supplemental evidence status while losing live portability status until a security review is complete.

The root ledger should therefore record registrar qualification classes. A registrar can be qualified for public registration service, holder evidence custody, registrar moves, transfer support, RPKI support, reverse-DNS coordination, emergency continuity or protected dispute evidence. The classes should be public because relying parties need to know whether a registrar is acting within its authority. A registrar that is qualified to maintain contact data should not automatically be qualified to run an emergency transition.

Qualification should also include financial and institutional continuity, but without becoming a barrier designed to preserve incumbents. A small registrar can be safe if it has strong escrow, limited scope, external audit, clean security controls and a tested handback plan. A large registrar can be unsafe if it is opaque, conflicted or slow to correct errors. Size is evidence, not a substitute for evidence.

NRS can make an early contribution by proposing class-based qualification rather than all-or-nothing recognition. That would let the Internet test new services without handing them every risk at once. It would also make incumbent services more accountable because their own powers could be described by class. If a current RIR performs weakly in one service category, the remedy can target that category instead of threatening the whole institution.

The continuing-condition principle should be strict about evidence. Registrars should publish service metrics, security attestations, incident categories, correction latency, export success, dispute counts, rejected conflict attempts and audit results. They should not be permitted to hide behind general claims of community legitimacy. Qualification is a present-tense condition. It is earned repeatedly.

The ledger can improve finance and customer diligence without becoming a market regulator

Scarce IPv4 records already appear in transactions, financing discussions, insurance questions, cloud onboarding, enterprise procurement and merger reviews. A portability-era ledger would affect those markets even if it never states a price. That is not a reason to avoid the ledger. It is a reason to keep its role narrow.

For finance, the useful signal is not that IANA or NRS values a prefix. The useful signal is that a lender or buyer can verify current status, registrar responsibility, dispute flags, pending transfer state, service-move locks, RPKI transition risk and export history. A lender does not need the root to certify collateral value. It needs evidence that the registration state can be located, checked and maintained if the borrower changes registrar or enters distress.

For customers, the useful signal is continuity. A managed-service buyer, cloud customer or public-sector agency wants to know whether the addresses supporting a service are likely to remain reachable and accountable through a corporate change, registrar move or dispute. The ledger can show that the resource has a current registrar, that a change is pending, that no duplicate status has been accepted, and that dependent service transitions have a public state. It should not decide whether the customer's contract is good.

For brokers and transfer parties, the useful signal is event separation. A transfer pending flag, registrar move pending flag and dispute flag let parties avoid the common mistake of treating every registry update as ownership proof. They can negotiate around closing conditions, escrow release, customer notices and rollback. The ledger supplies status; the parties supply commercial terms.

For abuse and security teams, the useful signal is responsibility. During a registrar move, abuse contacts and RDAP endpoints can become stale. A ledger status can identify which registrar is responsible for the current public record and whether a transition is underway. That reduces wasted escalation without making the root a content or abuse court.

These benefits depend on refusing market-regulator temptation. The root should not record sale price as a condition of status. It should not judge whether a holder "uses" a prefix efficiently. It should not impose financing terms. It should not favour customers who can afford premium registrar services. It should provide a reliable public state so other markets can make their own decisions with fewer hidden registry risks.

NRS's positive thesis is strongest when it says exactly that. Pay for proof. Compete on service. Keep the root common. Let private markets, courts and operators use the evidence without letting the ledger become their master.

Geography should remain evidence, not imprisonment

Regional registries were built around geography because service, community formation and early allocation history had regional shape. Geography still matters. Law, language, dispute forums, public-sector customers, telecom regulation, tax treatment, sanctions exposure, emergency response and local operating norms can all affect a holder. A portability-era ledger should not erase geography from the evidence file.

But geography should not be the same thing as permanent institutional captivity. A holder incorporated in one jurisdiction, operating in another and serving customers across several regions may have good reasons to choose a registrar that understands its real operating risk. A multinational group may need consolidated service support while preserving local public records. A network recovering from a failed regional institution may need immediate continuity from another qualified registrar.

In those cases, the question should be whether the registrar move preserves uniqueness and evidence, not whether a map once made the old office unavoidable.

The ledger can handle geography by recording facts rather than enforcing fate. It can record the original allocation path, current holder jurisdiction, operating contact regions, registrar location, applicable dispute forum where known, and any regional policy condition that still affects the resource. Those facts help relying parties. They do not require the holder to remain with one registrar forever.

This distinction is important for fairness. Poorer or smaller networks are often least able to absorb failure by a regional monopoly. If the only answer to institutional breakdown is patience, they pay in customer churn, delayed procurement, blocked financing and operational uncertainty. Portability gives them a safety valve. The root ledger keeps that safety valve from becoming an uncontrolled duplicate record.

Geography-as-evidence also protects public interests. A government, court or regulator can still be recorded when it has lawful relevance. A registrar move does not erase a court order, a sanctions concern, an insolvency stay or a public-service dependency. It simply prevents geography from being used as a blanket reason to deny service choice when the actual legal or operational condition can be stated more precisely.

NRS should be careful here. Its positive case for free enterprise and holder control is strongest when it respects legitimate local facts while rejecting unnecessary institutional lock-in. The IANA ledger after portability should make geography visible, reviewable and bounded. It should not turn geography into a prison, and it should not pretend geography has disappeared.

What NRS should prove first

NRS does not need to begin by asking for the whole system. It can begin by proving the smallest useful pieces. First, publish a status-commitment format for voluntary holder records that distinguishes current recognized authority from supplemental evidence. Second, show deterministic overlap checks for address intervals and AS-number ranges. Third, issue holder export receipts that survive registrar exit. Fourth, run migration rehearsals using test resources and real dependency checklists.

Fifth, create an independent monitor programme that verifies commitments and checks for inconsistent histories. Sixth, publish refusal and dispute categories. Seventh, disclose security incidents and recovery tests. Eighth, support a privacy model in which protected evidence is committed and reviewable without being dumped into public view. Ninth, invite incumbent registries, operators, lenders, brokers, cloud networks and auditors to test the service without requiring them to accept full authority.

These first proofs would change the conversation. Instead of arguing about whether NRS deserves recognition, the community could inspect which functions are working. A registrar that demonstrates clean exports may earn private reliance for due diligence. A registrar that passes migration rehearsals may earn pilot reliance for low-risk service moves. A registrar that supports robust audit may become useful even before formal IANA integration.

The same discipline can then be applied to the eventual IANA ledger. Recognition can be modular. A service can be qualified for supplemental evidence, then service-pointer trials, then live registrar moves, then emergency continuity support. Each level has tests, monitoring and withdrawal conditions. This is how a high-stakes system changes without betting the whole Internet on a single political decision.

The positive NRS claim is not that trust should be decentralized into untestable fragments. It is that service power should be decentralized while uniqueness remains globally testable. That is a coherent reform because it recognizes that the root and the registrar do different jobs.

The ledger after portability

After regional portability, the IANA ledger should be boring in the best sense. For each resource, it should say what the current status is, which registrar is responsible for service, whether a transfer or registrar move is pending, whether a dispute or emergency condition is noted, where public services can be reached, and how the event history can be audited. It should reject contradictions. It should preserve old states. It should not try to be a court, broker, bank, regulator or network operator.

Registrars should be interesting. They should compete on support, assurance, evidence quality, migration, RPKI options, reverse-DNS coordination, customer tooling, financing documentation, dispute navigation and resilience. Bad registrars should lose customers and qualification. Good registrars should earn reliance. Holders should not have to depend permanently on the same institution merely because a regional map once assigned them there.

This is the cleanest form of the NRS thesis. The Internet does not need patronage to preserve uniqueness. It needs a root commitment that is narrow enough to verify and strong enough to prevent duplicates. It needs service providers that can be replaced. It needs holders that can carry evidence. It needs auditors and monitors that can rebuild the story. It needs IANA to protect the common status without owning every downstream relationship.

Regional portability will fail if it is sold as a shortcut around evidence. It will succeed if it is built as a stronger evidence machine. A global ledger records one status commitment. Competing registrars serve customers. No one gets to allocate the same resource twice. That is the institutional bargain worth building.

Sources