Summary
- A child-zone operator does not obtain public reverse-DNS authority merely by serving correct PTR, NS and SOA data. The parent must publish a referral, and a validating chain may also require the correct DS records.
- Refusal can be technically justified. IANA publishes baseline tests for zones it manages, including authoritative service, server reachability, network diversity and consistency. A broken child can impair users and should not be delegated simply because its operator asks.
- The authority chain has distinct layers. The IETF specifies protocols; the IAB has a policy role for
.arpa; IANA operates upper reverse zones; RIRs submit changes for allocated number space and operate regional parent zones; holders or providers operate lower children. - RFC 7745 gives RIRs and IANA an authenticated, atomic mechanism for NS and DS updates with acknowledgements. It deliberately leaves authorization scope outside the standard, so technical authentication does not answer whether an RIR correctly refused a holder.
- Current review is fragmented. IANA permits case-by-case expert consideration of appeals against its technical requirements. The IANA Numbering Services Review Committee assesses operator service levels for the numbers community. Neither is a universal merits tribunal for every holder-to-RIR delegation dispute.
- The 2024 amendment to the IANA Numbering Services agreement brought reverse-resolution operation, distribution and the RIR provisioning interface into an explicit continuity framework. That strengthens review of the upper service without resolving every lower-level remedy.
- A transferable update path requires more than portable zone files. It needs portable authority evidence, independent credentials, old and new NS and DS state, acknowledgements, activation controls, rollback and a successor operator able to use the record.
- Number Resource Society can make refusal rules and test evidence comparable and advocate a minimum appeal standard. It cannot bypass a parent, authenticate a holder by assertion or turn service-level oversight into authority over individual cases.
A correct child can be absent from the Internet
Consider an operator responsible for the reverse zone corresponding to a block of addresses. Two authoritative servers answer over UDP and TCP. Their SOA and NS records agree. PTR names resolve forward to the same addresses. DNSSEC signatures validate from a locally configured trust anchor. From the child's point of view, the zone is ready.
A public recursive resolver knows none of this unless it can descend through the DNS tree. It starts at the root, reaches .arpa, then in-addr.arpa for IPv4 or ip6.arpa for IPv6, and follows referrals toward the relevant address range. If a parent has not published the child's NS set, the resolver does not discover those otherwise healthy servers. If the parent publishes a stale referral, it discovers the wrong ones. If the parent carries a DS record that no longer matches the child, DNSSEC validation can fail even while unsigned querying appears normal.
This is ordinary DNS architecture, not an exceptional administrative trick. Delegation is how a distributed name system assigns responsibility without placing every PTR record in one global zone. The parent must be able to say no to malformed, unreachable or unauthorized requests. Automatic acceptance would let a mistaken or malicious requester redirect address identity and would load the hierarchy with broken referrals.
But a necessary power is still power. The operator whose change is refused may lose mail reliability, diagnostic naming, abuse-handling context or the ability to complete a transfer. It needs to know which parent refused, under what rule, on what evidence and before which reviewer. The answers are less unified than the apparent simplicity of one DNS query suggests.
The hierarchy is technical and constitutional at once
The .arpa domain is reserved for Internet infrastructure. RFC 3172 describes a structure in which the Internet Architecture Board has policy responsibility, IANA performs operational administration and specific subdomains follow their defining standards. IANA's current .arpa page similarly says it administers the domain in cooperation with the technical community under IAB guidance.
For IPv4 reverse mapping, in-addr.arpa uses the address octets in reverse order. For IPv6, RFC 3152 established ip6.arpa, while RFC 3596 specifies the relevant DNS extensions and nibble-based reverse form. The upper zones are not general-purpose brand registries. Their delegation follows number-resource allocation and technical responsibility.
RFC 3172 says subdelegations within in-addr.arpa follow IANA address-allocation practices and that names within ip6.arpa are further delegated to RIRs in accordance with IPv6 address delegation. This alignment solves a serious legitimacy problem: the operator of the reverse parent is not supposed to choose a favourite company independently of number-resource authority. The DNS branch should follow the coordinated allocation record.
Alignment does not eliminate judgment. Someone must authenticate the requesting RIR, decide whether a proposed NS or DS set is technically safe and determine when an allocation or transfer has become effective. Farther down, an RIR must authenticate the holder or provider requesting a child change. A protocol can carry each decision securely without proving that the underlying organizational conclusion is right.
The constitution is therefore layered. Standards assign roles. Allocation records identify scope. Contracts and community policies constrain institutions. Operating systems publish the actual zones. Review bodies inspect some decisions but not others. The live DNS answer is the final operational evidence, while legitimacy depends on the chain that produced it.
The late 1990s exposed the parent problem in miniature
IPv4 reverse delegation naturally fits address blocks on octet boundaries. A /24 maps neatly to a zone such as 0.2.192.in-addr.arpa. Smaller allocations do not. By the late 1990s, increasingly classless address assignment made this mismatch an everyday problem. RFC 2317 documented a practical method for delegating address space smaller than a /24.
The method leaves CNAME records in the provider-controlled parent and points individual reverse names into a child namespace operated for the customer. It is ingenious precisely because the DNS tree does not automatically mirror every classless routing boundary. It also demonstrates continuing dependency. The customer can maintain its child data, but the provider must preserve the CNAME links and the parent delegation. Portability is not achieved by copying the child's zone file alone.
The arrangement creates more than one possible refusal. A provider can decline to install the CNAMEs. It can install them incorrectly. It can delegate the child but retain stale aliases during a transfer. The RIR may not be the immediate parent for the small block, so an appeal to the RIR might concern registration authority while the operational change remains with an upstream network. The identity of “the parent” depends on the actual zone cut.
IPv6 removed the old class boundaries but not hierarchy. Nibble-based delegation can make certain prefix lengths easier than others, and providers may delegate customer reverse zones at chosen boundaries. RFC 8501 discusses several ISP approaches, including customer delegation, dynamic generation and negative answers. The operator's ability to publish a name still depends on the entity that controls the relevant parent.
This history matters because it prevents a false picture of one global gatekeeper. Upper reverse zones are coordinated centrally, regional zones are operated by RIRs and lower parents may be RIRs, local registries, providers or holders. Review must follow the refusal point rather than the brand at the top of the tree.
IANA is a parent operator, not the universal merits court
IANA coordinates the upper infrastructure. Its public performance reports explain that RIRs submit modifications for their number allocations through an interface and that IANA propagates those changes in the DNS. RFC 7745 documents the data structure and authenticated transaction used for reverse-DNS management between the RIRs and ICANN.
IANA also publishes technical requirements for authoritative name servers in zones it manages, including .arpa. Proposed servers must answer over UDP and TCP, answer authoritatively, be sufficiently diverse, agree on NS and SOA data and meet referral-size and address requirements. For DNSSEC, submitted DS records must be well formed and match a DNSKEY capable of validating the child. These checks prevent common failures from entering a high-impact parent.
If a request fails, IANA reports deficiencies for remediation. Its guidance says a requester facing special circumstances can appeal to bypass a requirement and that a subject-matter expert assesses the appeal case by case. This is a real review route, but a narrow one. It concerns IANA's baseline technical requirements for a change in a zone it manages.
It does not follow that any address holder can ask IANA to overrule an RIR and insert the holder's preferred name servers. The upper delegation follows IANA's number allocation to the RIR. IANA authenticates and processes requests from the responsible RIR. If the dispute is whether the RIR correctly recognized a holder, IANA is not positioned by the cited technical guidance as a global title court.
This limitation protects the allocation hierarchy from ad hoc bypass. It also leaves a remedy gap. A holder can prove that its servers meet every IANA technical test and still be unable to submit the change because the RIR does not recognize its authority. The technically ready child and the authorized requester are separate questions reviewed at different layers.
The RIR both authenticates and parents
An RIR typically receives upper reverse authority corresponding to address space allocated by IANA. Within that space, it maintains delegation information for holders or downstream operators. RIPE NCC documentation says its registration database stores domain entities whose nserver attributes define delegated name servers and that those data are used to produce DNS zones. APNIC says its reverse zones are generated from database entities and that its servers refer queries to name servers supplied by the network or end party.
This arrangement is efficient because the institution maintaining resource registration also authenticates the party requesting reverse control. A transfer update can change both records coherently. A former holder cannot keep reverse authority merely by retaining credentials to an unrelated DNS provider.
Concentration also creates a constitutional burden. The RIR may be the keeper of registration evidence, the operator of the parent zone, the author of service terms and the first reviewer of its own refusal. A dispute about corporate identity, fees or policy compliance can therefore block a DNS change without any technical defect in the child.
Regional rules are not uniform. APNIC makes reverse delegation available to members and non-members holding space, and it publishes a staged response to persistent lameness. RIPE NCC provides reverse service across several legacy-holder relationships. AFRINIC describes database registration and technical verification for holder name servers. These examples show common functions, not one shared appeal code.
The RIR must distinguish at least three decisions. Does the requester control the account? Is the requester the legitimate holder or authorized operator for this resource? Does the proposed child pass technical requirements? A password can answer the first and still be stolen. Corporate documents can answer the second and say nothing about DNS quality. Probe results can answer the third and say nothing about entitlement. A refusal notice should identify which test failed.
Authentication secures the message, not the conclusion
RFC 7745 describes an automated reverse-DNS update service requested by RIRs and deployed with ICANN. It uses HTTPS with client and server X.509 certificates, structured XML, an atomic transaction and acknowledgement or notification. The design protects against modification, insertion, deletion, interception and replay in the exchange.
These properties are substantial. Without authenticated transport, an attacker could replace an NS set or DS record between registry and parent. Atomic handling avoids a request being partly applied in ways the sender did not intend. Out-of-band notice gives the parties another signal that an update occurred.
The standard expressly leaves authorization of which delegations a certificate-authenticated session may affect outside its scope. That boundary is revealing. A cryptographically authenticated RIR message proves that the holder of an accepted client certificate sent the transaction. It does not prove that a particular staff decision, resource transfer or holder dispute was resolved correctly.
The same lesson applies below the RIR. A portal login, API token or signed request authenticates an actor. The registry still needs a rule connecting that actor to the resource and requested zone. During a merger or provider exit, the old credential may remain valid after authority has changed, or a new legitimate operator may lack access to credentials controlled by the predecessor.
Verifiable updates therefore need two evidence tracks. The technical track records who sent what, the old and new state, validation results, acknowledgement and publication. The authority track records which resource relationship permitted the sender to act and which reviewer resolved any conflict. Combining the tracks in one auditable event is more trustworthy than assuming strong cryptography cures weak institutional judgment.
DNSSEC raises the cost of an incomplete handoff
Without DNSSEC, a wrong parent referral can make the child unavailable or direct queries toward the wrong servers. With DNSSEC, the parent may also publish DS records that authenticate the child's key. An NS update and a key transition can be related but are not the same operation.
If a parent retains a DS record after the child changes keys without a compatible rollover, validating resolvers can return failure. If the parent removes DS too early, the zone may remain reachable but lose authenticated denial and data validation. If a transfer changes operators, the parties must coordinate key custody, zone contents, server delegation and parent DS state.
IANA's requirements test that a submitted DS has a matching DNSKEY and that a signature can validate. Those tests catch a dangerous immediate mismatch. They do not decide who should control the key or whether a transferor consented under the right policy. Technical correctness at activation is necessary, not sufficient.
A portable child therefore needs a key-transition plan. The new operator should be able to prepublish keys or use an agreed overlap method, submit parent changes through an authorized route and verify them from independent resolvers. The old operator should lose authority at a declared point, not at an accidental gap between tickets.
The public record should show enough state to diagnose failure: prior and replacement DS sets, key tags and algorithms, validation observations and activation times. Secret keys must never be part of that record. Portability is about transferring recognized authority and verifiable public state, not copying private key material indiscriminately.
Upper-level oversight became more explicit after 2016
The 2016 stewardship transition replaced the former United States government contract for IANA numbering services with an agreement between ICANN and the five RIRs. The agreement separates policy development from IANA's administrative and technical operating role, sets reporting and security duties, provides for review, dispute resolution and continuity, and contemplates transition to a successor operator.
The IANA Numbering Services Review Committee was created to advise the Number Resource Organization Executive Council in periodic assessment of IANA performance. It has representatives from each RIR region, open meeting material and annual reports built around performance information and community comment. This creates a visible line of service-level accountability for the numbers community.
Reverse-resolution operations were later made explicit. After consultation, Amendment No. 1 was signed in November 2024. It covers the relevant reverse zones, distribution servers and the provisioning interface used by RIRs. The amendment addresses redundancy, distribution, heterogeneous configurations, standards compliance, monitoring, incident handling and service targets. Monthly IANA reports now publish reverse-DNS performance measures such as interface availability, propagation and authoritative service availability.
This was an important institutional correction. A service that had long been operationally critical gained clearer contractual treatment and continuity obligations. The agreement's transition framework also matters to portability: upper reverse service should be capable of moving to a successor operator rather than depending forever on one corporate arrangement.
But service-level oversight has a defined entity. The Review Committee assesses the operator's performance for the numbers community and advises the NRO Executive Council. It is not described as hearing every dispute between an end holder and an RIR over a child-zone request. The RIRs are the customers and collective contractual counterparty at this layer.
Accountability at the top can therefore coexist with weak remedy below. IANA may meet every availability target while an RIR incorrectly refuses one holder. Conversely, a holder's local dispute does not prove that IANA failed its agreement. Review must name the layer being judged.
Who reviews a refusal today?
The first answer is usually the institution that made it. An IANA technical rejection can be remediated by correcting the proposed servers or can receive case-by-case expert consideration under published guidance. An RIR refusal may go through support escalation, management review, an ombuds function, board process, arbitration or court depending on regional policy, contract and subject. A provider refusal may be governed by its service agreement and the holder's ability to ask the RIR for a different delegation.
The IETF can revise standards through its open standards process. The IAB can exercise its policy responsibility for .arpa and provide architectural oversight. These bodies can correct a general design defect. They do not ordinarily inspect the corporate records in an individual /24 dispute or operate an emergency DNS restoration desk.
The NRO Review Committee can identify service-level failure by IANA and advise the NRO Executive Council. It can invite community input and compare performance against the agreement. It does not replace regional review of whether a holder was correctly recognized. The ICANN accountability mechanisms applicable to naming functions should not be assumed to cover an RIR holder dispute merely because IANA also performs naming operations.
Courts and arbitrators can supply independent authority, but their jurisdiction and speed vary. A court may determine contract or ownership questions without prescribing the exact NS and DS transition. Emergency judicial relief may be available in some places and impractical in others. It is misleading to call litigation a complete operational appeal.
The result is a chain of partial reviewers. Each sees a different question: protocol design, upper service performance, regional registration authority, technical readiness or legal right. The institutional gap is not the absence of any review. It is the absence of a consistently documented handoff between them, with one body empowered to preserve DNS continuity while the merits travel through the chain.
A refusal must carry a reason code and evidence
“Request denied” is inadequate because it conceals the layer of failure. A useful response should state whether the request failed authentication, resource authority, technical validation, policy, contract or law. Each category requires different evidence and a different reviewer.
For a technical rejection, the parent should provide the exact failed test, query name and type, server address, transport, observation time and expected condition. If network diversity is limited public evidence, it should identify the origin networks observed. If DS validation fails, it should identify the mismatch without exposing secrets. The child operator can then reproduce and cure the problem.
For an authority rejection, the parent should identify the resource scope and the missing or conflicting evidence. It may need to protect another claimant's documents, but it can still explain whether the issue is corporate succession, delegated authority, transfer completion, account compromise or a contrary registration record. A bare assertion that the requester is unauthorized prevents meaningful correction.
Policy and legal refusals require the operative rule and decision maker, subject to lawful confidentiality. The notice should distinguish a temporary hold from a final decision and give an expiry or review date. An emergency refusal can precede full reasons, but the record should be completed promptly.
Reason codes also improve aggregate accountability. A registry can report how many requests failed technical checks, how many were cured, how many involved contested authority and how many were reversed on review. Without this taxonomy, one total refusal count mixes prudent DNS protection with possible institutional error.
Transferability begins before a crisis
An institution is not operationally replaceable merely because its software is open or its zone files can be copied. A successor parent needs the current delegations, credentials or a method to replace them, authority records, pending requests, DNSSEC state, contact data, audit history and a secure way to publish updates.
The IANA Numbering Services agreement recognizes this at the upper layer through continuity and successor-operator provisions. Its 2024 reverse-service amendment identifies distribution and provisioning components that must continue. These obligations reduce dependence on tacit knowledge held by one operator.
The same discipline should apply at RIR and provider boundaries. Each parent should maintain delegation data in a documented, non-proprietary form. It should be able to export the current NS and DS state, the resource relationship authorizing it and pending transition events. Independent credentials should be recoverable or replaceable after verified authority changes; they should not depend solely on an email domain operated by the outgoing provider.
Transfer does not mean that any claimant can demand the dataset. Disclosure must follow verified authority and privacy rules. Nor does it mean two parents should publish conflicting answers indefinitely. A transfer plan should identify one effective parent state at each moment, with preparation, activation, bounded overlap where technically appropriate, rollback and retirement.
Most portability failures begin before formal transfer. Contacts are stale, a provider owns all credentials, DS state is undocumented or the holder has never tested a change. Parent operators should require periodic contact confirmation and offer a recovery route that can be exercised without the current service provider's cooperation. Holders should treat reverse delegation as part of their continuity inventory, not as a one-time registry form.
Verifiability requires an observable state machine
DNS publication is eventually observed through caches, so a change cannot be represented honestly as one instantaneous global switch. Still, the parent can expose a clear institutional state machine: requested, authenticated, technically validated, authorized, scheduled, published, verified, completed, rolled back or refused.
Each state should have a timestamp, responsible actor and evidence reference. The proposed old-to-new diff should remain immutable once approved; a changed request should receive a new event identifier. Publication should record the parent zone serial or equivalent state and the acknowledgement returned to the requester. Independent probes should verify the live answer after publication.
This model makes delay legible. A holder can see whether its request is waiting for identity review or DNS tests. IANA and an RIR can distinguish an interface acknowledgement from actual propagation. An auditor can determine whether a refusal occurred before or after authorization and whether a rollback restored the previous state.
Cryptographic logs can strengthen integrity, but technology should not obscure access. A signed append-only event record is useful only if affected operators can obtain and understand the relevant entries. Public transparency can show zone changes and performance while confidential records preserve personal or legal evidence.
The live DNS remains decisive for users. A control panel that says “published” while parent servers return old data is not completion. Verification must query the authoritative parent, follow the delegation and, where applicable, validate DNSSEC. Governance evidence should converge on runtime truth.
Continuity review must be able to pause the parent
An appeal filed after a refused update may not need a stay if the existing delegation remains healthy. An appeal against withdrawal is different. Once the parent removes a child or publishes an incompatible DS, mail and other services can degrade before a merits decision arrives.
A continuity reviewer should have limited authority to preserve or restore the last known good state. The reviewer need not decide ultimate resource title at the emergency stage. It can ask whether keeping the current delegation for a short period creates greater risk than removal, whether the servers remain technically sound and whether the requester has presented a credible connection to the resource.
This is comparable to an interim order, not final victory. The stay should have conditions and a review date. A compromised key, active abuse or final transfer may make restoration unsafe. The reviewer should be able to narrow the remedy, such as removing a broken DS while preserving NS referral, or retaining healthy zones while allowing action on the disputed subset.
The function should be independent of the original decision queue. Otherwise urgency simply sends the case back to the staff whose action is challenged. Independence can be achieved through a separate officer, cross-functional panel or external neutral under regional rules. What matters is authority to change the technical outcome and a written record.
Service targets should distinguish acknowledgement, interim decision, merits review and DNS propagation. Reporting a fast ticket response says little if no one can republish the zone. A remedy is effective only when the parent answer has been verified.
Refusal is sometimes the continuity measure
The argument for review should not be mistaken for a presumption that every child request deserves acceptance. A parent that publishes an unreachable server set creates a lame delegation. A parent that accepts a DS without a matching key can make a signed child bogus. A parent that obeys a stolen credential can transfer identity to an attacker.
IANA's baseline tests are therefore a form of continuity protection. Requirements for multiple servers, authoritative answers, consistency and network diversity reduce predictable single points of failure. The ability to consider a justified exception prevents the baseline from becoming mechanically destructive in unusual circumstances.
At lower levels, APNIC's published lameness procedure shows another side of refusal. The registry observes a suspected defect over time, notifies contacts and eventually blocks a persistently lame delegation. Removal prevents repeated referral to nonfunctioning servers. Because the holder can remove the administrative marker after repair, the measure connects refusal to cure.
Authorization refusal can also protect continuity. During a contested transfer, accepting the first claimant's servers may disrupt a functioning network. A temporary hold can preserve the existing child while evidence is reviewed. The problem arises when hold and withdrawal are treated as the same action or when the hold has no owner, expiry and appeal.
Good governance makes refusal easier to defend. Published tests, reproducible evidence, narrow scope and an effective remedy show that the parent is protecting the tree rather than exercising unexplained discretion. The objective is accountable authority, not automatic delegation.
Provider exits are the practical test of portability
Many holders do not operate authoritative DNS directly. A transit provider, hosting company or managed DNS vendor may run the child zone and control the interface through which NS or PTR data are changed. This specialization is reasonable. It becomes dangerous when provider exit also blocks the holder's route to the parent.
The holder should be able to prepare replacement servers, prove authority to the parent and request a change without the former provider's consent once contractual and notice conditions are satisfied. The parent should notify the outgoing operator and protect against account takeover, but it should not require an impossible signature from a party whose service is being replaced.
Classless IPv4 delegation makes this especially delicate. The upstream provider may control CNAMEs in the parent /24 as well as the delegation to the customer's child. Moving service can require coordinated edits at several names. The holder needs an inventory of those parent-side records, not only a copy of PTR data.
If the upstream itself fails, an RIR may be able to change a higher zone but cannot always reconstruct every lower record immediately. Contracts and technical guidance should require providers to supply exportable reverse mappings and transition assistance. Parent operators should document an emergency path for cases where the immediate parent has disappeared.
No design can guarantee painless transfer when parties dispute payment or data ownership. It can prevent technical dependency from deciding the dispute by default. A holder with verified resource authority, prepared servers and complete state should have a path to a new parent relationship that does not rely on permanent cooperation from the old operator.
Upper-zone diversity does not replace decision accountability
RFC 5855 established stable names for the servers of in-addr.arpa and ip6.arpa and emphasized secure, stable hosting. The 2024 amendment to the IANA agreement calls for redundant and distributed reverse-DNS infrastructure and heterogeneous configuration across the server set. These are sensible protections against operational failure.
Multiple authoritative servers can keep a correct parent zone available when one site or implementation fails. They do not independently decide which child NS set belongs in that zone. If the distribution source contains a mistaken refusal or stale delegation, replicas can serve the same mistake very reliably.
This is a familiar governance distinction between availability and correctness. Diversity of servers protects delivery of the current decision. Diversity of review protects the decision itself. Both are necessary, and metrics should not substitute one for the other.
IANA's monthly reports measure interface, distribution and DNS availability and the handling of RIR amendments. A complementary accountability report would measure refused requests, exception reviews, publication reversals and recovery from incorrect state. At the RIR layer, similar measures should cover holder requests and parent-zone effects.
The absence of a service outage does not prove that every delegation decision was right. The absence of an appeal does not prove that every holder had an accessible remedy. Institutions should measure what their architecture can conceal.
The public record should prove the chain without exposing secrets
A reverse delegation is public by design. Anyone can query NS, DS and PTR data. It might therefore seem that no additional transparency is needed. Live DNS shows current state, but not necessarily who requested it, why it changed, what preceded it or whether the parent initially refused.
A useful public change record could identify the zone, old and new NS and DS sets, publication time, reason category and technical validation status. For contested or security-sensitive cases, requester identity and detailed evidence can remain confidential. The holder should receive a fuller record adequate for review.
Historical data matter because caches and later edits can erase the decisive state. A researcher examining an outage months later needs the parent-zone version and timeline, not a current query. A transfer dispute needs proof of when authority changed and which servers were designated at that time.
The record should not be treated as proof of address ownership beyond its purpose. It shows that an authorized parent published a DNS delegation under its rules. Property and contractual claims may require other evidence. Nor should public history expose private contacts or cryptographic credentials.
The design challenge is to make institutional action auditable while preserving operational security. Signed change statements, retained zone versions and redacted decision summaries can achieve more than either total secrecy or indiscriminate disclosure.
A minimum review compact for every parent
Despite regional variation, every operator of a reverse parent can adopt a common minimum compact. First, publish the classes of request it accepts, the authority evidence required and the technical tests applied. A holder should know before a transfer which parent controls each zone cut and how to reach it.
Second, issue reproducible refusals. Name the failed category, affected zone, evidence, cure and deadline. Distinguish authentication, authority, technical readiness, policy and legal compulsion. Do not hide a merits decision behind a generic DNS error.
Third, provide two review speeds. Ordinary review can examine policy and evidence thoroughly. Emergency continuity review should decide quickly whether to preserve or restore the last known good parent state. Both should be independent of the original actor to a degree appropriate to impact.
Fourth, maintain a portable event record and successor plan. Current and historical NS and DS state, pending requests, credentials, contacts and validation evidence must survive staff turnover, corporate failure and operator transition. The successor should be able to continue updates securely without reconstructing legitimacy from scattered emails.
Fifth, verify runtime outcome. A change is complete only when authoritative parent answers and child validation match the approved state. The same probes should verify rollback. Service targets should reflect publication and observed DNS, not just ticket closure.
Sixth, report aggregate results with meaningful denominators. Requests, refusals, cures, appeals, reversals, emergency actions and propagation times should be counted by reason. The report should state what it cannot measure, including downstream application impact and unreported disputes.
This compact does not erase local law or RIR autonomy. It defines the minimum evidence needed to exercise hierarchical power credibly.
Research should map actual parents, not assumed ones
Studying reverse-DNS governance requires more than reading top-level institutional charts. The relevant parent for one address may be an RIR; for another it may be an upstream provider using RFC 2317; for early-registration space it may involve shared zone arrangements. Researchers should trace the live delegation from the root and record every zone cut.
They should separate observation from authority. DNS queries show which servers are delegated and what they answer. Registration data and contracts indicate who is recognized. Policy documents describe possible action. None alone proves the reason for a historical refusal.
Measurements should record query vantage point, time, transport, DNSSEC validation and cache status. A resolver's stale answer can differ from the authoritative parent. A SERVFAIL can arise from DNSSEC, network failure or server inconsistency. Calling every failure “parent refusal” would manufacture institutional conclusions from ambiguous packets.
Interviews and dispute records can fill the reason gap, but they need corroboration. A holder may sincerely believe an RIR removed a delegation when an immediate provider controlled the parent. A registry may describe a change as technical while an account event triggered it. The before-and-after zone state and decision record should be compared.
No complete public dataset enumerates every reverse parent, holder request, refusal, appeal and downstream consequence. Research should publish bounded case sets and resist global rates. The absence of a denominator is itself a finding supporting better event reporting, not permission to invent one.
The bounded role of Number Resource Society
Number Resource Society can help make this fragmented chain intelligible to holders. It can publish a diagnostic guide that starts with the live DNS path, identifies the actual parent at each cut and distinguishes missing referral, lameness, DNSSEC failure and absent PTR data.
It can compare RIR and provider rules using a common matrix: requester eligibility, technical tests, notice, emergency action, ordinary appeal, continuity stay, evidence access and transfer support. Such a matrix would let policy debate focus on observable rights rather than institutional slogans.
NRS can also maintain controlled test zones and open tools for capturing parent and child evidence. It can train smaller operators to preserve NS and DS state before a dispute and to prepare provider exits. It can bring documented gaps to RIR policy meetings and the numbers-community review of IANA service.
Its authority remains bounded. NRS cannot instruct IANA to accept an unauthorized RIR request, force an RIR to recognize a claimant or create a DNS delegation by publishing an alternative file. It should not describe the IANA Review Committee as an appeal court for members. Where two NRS entities assert competing rights, the organisation must disclose conflict and avoid pretending advocacy settles title.
The productive role is to improve evidence and minimum procedure. Hierarchical authority becomes more legitimate when affected operators can identify the decision maker, reproduce the reason and reach a reviewer before continuity is lost.
The parent should be powerful enough to say no, and accountable enough to be replaced
Reverse DNS cannot operate without parents. Someone must publish referrals, reject broken servers, authenticate requests and move authority after transfers. Diluting that responsibility among uncoordinated publishers would make answers ambiguous and attack easier.
The constitutional test is therefore not whether the parent has power. It is whether power follows number-resource authority, uses prospective technical rules, produces verifiable events and remains transferable to a successor. A parent that cannot be reviewed or replaced has turned an operational role into a permanent privilege.
The present architecture contains strong components. IETF standards define the hierarchy and secure update structure. IANA publishes technical tests and performance. The numbers community has a contractual review and continuity mechanism for the upper service. RIRs maintain registration-linked regional zones and several publish thoughtful operational procedures.
The weakness lies between layers. A holder refused by an RIR cannot assume IANA will hear the merits. A technically successful IANA service review does not validate every regional decision. A court can decide rights too slowly to preserve DNS. The remedy is an explicit chain of review, with a continuity officer able to hold the last known good state while the right forum decides the underlying question.
Transferable and verifiable update paths make that chain practical. They preserve authority evidence, credentials, state, acknowledgements and rollback so another operator can continue the service. They allow refusal to be narrow and justified rather than final by opacity.
A child zone should not be accepted merely because it asks. Nor should it disappear because the parent cannot explain itself. The stable middle is an accountable hierarchy: one effective answer, several layers of evidence, and a real path from refusal to review.
Sources
- RFC 2317: Classless IN-ADDR.ARPA Delegation
- RFC 3152: Delegation of IP6.ARPA
- RFC 3172: Management Guidelines and Operational Requirements for the ARPA Domain
- RFC 3596: DNS Extensions to Support IP Version 6
- RFC 5855: Nameservers for IPv4 and IPv6 Reverse Zones
- RFC 7745: XML Schemas for Reverse DNS Management
- RFC 8501: Reverse DNS in IPv6 for Internet Service Providers
- IANA: ARPA Zone Management
- IANA: Technical Requirements for Authoritative Name Servers
- IANA: Number Resource Performance Reports
- NRO: IANA Numbering Service Level Agreement
- NRO: Amendment No. 1 Incorporating Reverse Resolution Services
- NRO: IANA Numbering Services Review Committee
- APNIC: Reverse DNS Delegation
- APNIC: Operational Response to Lame Reverse Delegation
- RIPE NCC: Reverse Delegation
- AFRINIC: Reverse DNS
- ICANN: Service Level Agreement for the IANA Numbering Services

