TLD

In the domain name www.example.com, .com is the TLD. The DNS hierarchy reads right to left: root (invisible dot) → TLD (.com) → second-level domain (example) → subdomain (www). When a DNS resolver looks up a name it doesn't know, it starts at the root servers, which refer it to the TLD's nameservers (Verisign for .com), which in turn refer it to the domain's authoritative nameservers. Every domain registration involves a TLD registry (who maintains the zone file) and a registrar (who sells registrations to end users).

TLD categories

IANA root zone management and root server clusters

IANA (Internet Assigned Numbers Authority), operated by ICANN, maintains the Root Zone Database — the authoritative list of every TLD and the nameservers delegated to operate it. Thirteen root server identities (A through M) exist, each operated by a different organisation (Verisign, USC, Cogent, University of Maryland, NASA, ISC, DISA, ARL, Netnod, RIPE NCC, ICANN, WIDE, and others). These are not thirteen physical machines — each identity is served by a cluster of hundreds of servers distributed worldwide via anycast. When a recursive resolver needs to look up an unfamiliar TLD, it contacts a nearby anycast instance of a root server to get the NS records for that TLD's zone, then proceeds from there.

ccTLD delegation and re-delegation

Each ccTLD is delegated to a registry operator — typically a national organisation or government body. IANA delegates .uk to Nominet, .de to DENIC, .jp to JPRS. The delegation process follows IANA's policies and can be changed — called re-delegation — if the sponsoring organisation ceases to operate appropriately. ccTLD policies vary widely: .de requires accurate registrant data, .uk allows privacy-protected Whois, and .io (technically assigned to the British Indian Ocean Territory) is operated commercially without geographic restriction, making it popular with technology companies.

Internationalised Domain Names and Punycode

The DNS was originally ASCII-only. Internationalised Domain Names (IDN) allow TLDs and domain labels in non-Latin scripts — Arabic, Chinese, Cyrillic, and others. Because DNS packets only carry ASCII, non-ASCII labels are encoded using Punycode: the label is converted to an ASCII-compatible encoding (ACE) prefixed with xn--. The Arabic TLD for "web" encodes to xn--ngbc5azd. Browsers display the decoded Unicode form in the address bar, but DNS queries always use the Punycode form. IDN TLDs were introduced after ICANN approved them in 2009, and hundreds now exist.

DNSSEC at the TLD level

DNSSEC (DNS Security Extensions) provides cryptographic integrity for DNS responses, preventing cache poisoning attacks. At the TLD level, DNSSEC involves two key concepts. The KSK (Key Signing Key) is a long-term key pair used only to sign the zone's ZSK (Zone Signing Key) — the KSK for .com is kept offline in a hardware security module. The DS (Delegation Signer) record in the parent zone (the root) contains a hash of the child zone's KSK, forming a chain of trust from root to TLD to domain. When a resolver validates a response for example.com, it walks up the chain: root KSK → .com DS → .com KSK → example.com DS → example.com keys.

Special-use TLDs and security-relevant designations

.onion is a special-use TLD reserved by IANA (RFC 7686) for Tor hidden services. It is not in the public DNS root — addresses like example.onion only resolve within the Tor network. Browsers with Tor integration handle them natively. Several new gTLDs enforce HTTPS by default through HSTS preloading: .app and .dev are on the HSTS preload list, meaning all browsers require HTTPS for every domain under those TLDs regardless of individual site configuration — HTTP connections are refused before even connecting to the server. This is enforced at the registry level, providing a meaningful security baseline across those TLDs.

The Public Suffix List

The Public Suffix List (PSL), maintained by Mozilla, is a community-maintained registry of domain suffixes under which independent domains can be registered. It extends beyond formal TLDs to include things like github.io, s3.amazonaws.com, and country-specific second-level registries like co.uk. Browsers use the PSL to scope cookies correctly: a cookie set by foo.github.io must not be readable by bar.github.io because both are "registrable domains" at the github.io PSL boundary. The PSL also affects SameSite cookie behaviour and is used by certificate authorities to determine what constitutes a separately registrable domain for multi-domain certificate issuance. Operating a service on a PSL-registered suffix gives users the same cookie isolation as a standalone TLD.

Frequently Asked Questions

What is the difference between a gTLD and a ccTLD?

gTLDs (.com, .org, .net) are generic and open globally. ccTLDs (.uk, .de, .jp) are two-letter country codes. Some ccTLDs (.io, .ai, .tv) are open globally and popular in tech. Others require local presence. Both types are technically equal in the DNS.

How many TLDs exist?

Over 1,500 as of 2024 — including the original 7 gTLDs, 316 ccTLDs, and hundreds of new gTLDs added after ICANN's 2012 expansion programme (.app, .dev, .shop, .cloud, brand TLDs, etc.).

Does the TLD affect SEO or website speed?

Minimal SEO impact — Google treats new gTLDs the same as .com. ccTLDs may signal geographic relevance. The TLD doesn't affect page speed; DNS infrastructure and hosting do. .com remains the most globally trusted TLD.