Where a TLD Sits
DNS names are hierarchical. In www.example.com, the root is implied after com, com is the top-level domain, example is registered under com, and www is a hostname or subdomain label under example.com. Every fully qualified domain name ends with the root label, written as a trailing dot in zone files, making the complete form www.example.com. — but browsers and most tools omit the trailing dot.
Types of TLDs
| Type | Examples | Meaning |
|---|---|---|
| Generic TLD | .com, .org, .net | General-purpose or category-based zones |
| Country-code TLD | .us, .uk, .jp | Two-letter country or territory codes |
| Sponsored or restricted TLD | .edu, .gov, .mil | Eligibility rules controlled by policy |
| New gTLD | .app, .dev, .cloud | Expanded generic namespace opened from 2012 onward |
| Internationalized TLD | .مصر, .中国 | Non-ASCII labels encoded in Punycode at the DNS layer |
How IANA Manages the Root Zone
The Internet Assigned Numbers Authority (IANA), a function of ICANN, maintains the DNS root zone — the authoritative list of every TLD that exists. When a new TLD is approved, IANA adds a delegation record pointing to that TLD's nameservers. Those nameservers then answer queries for names under that TLD. The root zone file is served by thirteen root server clusters (named A through M), distributed globally via anycast so that thousands of physical nodes can answer root queries quickly. Changes to the root zone go through a formal signing process using DNSSEC, with the root zone signing key (KSK) managed through regular ceremonies that are publicly audited.
Registry vs Registrar
A registry operates the TLD zone. A registrar sells or manages registrations for customers. When you buy example.com, the registrar handles your account and sends registration data to the .com registry operated by Verisign. DNS delegation then points the domain to authoritative nameservers of your choice. Many registrars also offer DNS hosting, but the two functions are separate — you can register at one company and host DNS at another.
ccTLD Policies: Delegation and Re-Delegation
Country-code TLDs are two-letter codes drawn from ISO 3166-1. Each ccTLD is delegated to a sponsoring organization — usually a national registry — that sets its own registration policies. Some ccTLDs are open to anyone worldwide (.tv, .io, .co), while others restrict registration to residents, businesses, or entities connected to the country. IANA can re-delegate a ccTLD if the sponsoring organization no longer meets its obligations, though re-delegation is rare and typically follows a long consultation period. Notable re-delegations have occurred when registries changed hands due to political transitions or organizational failures.
Internationalized Domain Names and Punycode
Internationalized Domain Names (IDNs) allow labels written in non-ASCII scripts, such as Arabic, Chinese, Devanagari, or Cyrillic. At the DNS layer, these labels are encoded in Punycode with the prefix xn--. For example, the Arabic TLD for Egypt (.مصر) is transmitted in DNS as .xn--wgbh1c. Browsers decode Punycode back to the native script for display, but the wire protocol and zone files always use the ASCII-compatible encoding. IDN TLDs raise homograph attack risks, where visually similar characters from different scripts are exploited to create deceptive domain names. Registries and browsers have adopted policies to limit mixing scripts within a single label.
DNSSEC at the TLD Level
DNSSEC adds cryptographic signatures to DNS records so resolvers can verify authenticity. The root zone is signed with the root KSK, which is the ultimate trust anchor in the DNSSEC chain. Each TLD operator signs its own zone and publishes a DS (Delegation Signer) record in the root zone to link its key to the root. When a registrant enables DNSSEC on their domain, the TLD registry publishes a DS record for that domain in the TLD zone, completing the chain from root down to individual records. Not all TLDs support DNSSEC for second-level domains, and not all registrars support uploading DS records, so deployment remains uneven.
Security Considerations: .onion and HSTS Preload
The TLD .onion is a special-use domain recognized by RFC 7686. It is not in the IANA root zone and resolves only inside the Tor network to hidden service descriptors. Browsers and resolvers must not attempt normal DNS lookups for .onion addresses, as doing so would leak the attempted connection to ordinary DNS. Separately, some new gTLDs are enrolled in the HSTS preload list. Google's registry operates .app and .dev with mandatory HTTPS: browsers preload these TLDs and refuse plain HTTP connections to any domain under them, regardless of whether the individual site has set an HSTS header. This TLD-wide enforcement is distinct from individual site HSTS preloading.
Implications for Developers
TLD boundaries matter in several practical ways for web developers. Cookie scope in browsers follows the public suffix list (PSL), maintained at publicsuffix.org. The PSL defines which domain labels count as the effective TLD for purposes of preventing Set-Cookie: Domain=.com from applying across all .com sites. Libraries that handle cookies, SameSite policies, and CORS origin checks consult the PSL to determine registrable domains. New gTLDs and private domains like those used by GitHub Pages are listed in the PSL so that different customers cannot share cookies across them. Developers adding a custom TLD or operating a hosting platform should evaluate whether to submit a PSL entry.
Why TLDs Matter
- They define the parent zone for a registered domain and the start of DNS delegation.
- They can have different rules, prices, and eligibility requirements set by the registry.
- They influence user trust and brand expectations across markets and languages.
- They affect DNSSEC chain coverage depending on whether the TLD publishes DS records.
- Some TLDs have mandatory HTTPS enforcement through browser HSTS preload lists.
- The PSL boundary at the TLD level determines cookie and origin scope in browsers.
TLDs Do Not Guarantee Trust
A serious-looking TLD does not prove a site is safe, and a newer TLD does not prove a site is unsafe. Phishing campaigns routinely register under .com. Trust comes from the actual organization behind the domain, certificate validity, site behavior, reputation signals, and whether the domain is the one you intended to visit. The padlock icon confirms an encrypted connection to the stated hostname, not that the hostname belongs to a trustworthy party.
Frequently Asked Questions
What does TLD stand for?
TLD stands for Top-Level Domain. It is the DNS label directly below the root, such as com, org, net, or a country-code TLD.
Is .com a TLD?
Yes. .com is a generic top-level domain, commonly called a gTLD.
What is the difference between a registry and a registrar?
A registry operates a TLD zone, while a registrar sells or manages domain registrations for customers under that TLD.