TTL

Tools & Thoughts for Leaders

Inside the Domain Name System

TTL 35

Who’s in charge of the names?

Somewhere in the world, in a locked room behind layers of security…

A steel door opens.

Surveillance cameras roll.

Witnesses take their seats.

Every few months, in a windowless room guarded by scanners, smart cards, and sealed metal safes, a handful of people gather to unlock a cryptographic key.

The ceremony requires at least five trusted keyholders, each with a specific role. Their access is split by design—so split, in fact, that even with a 5% dishonesty rate among them (which is, anyways, accounted for), the chance of a coordinated compromise is formally calculated at less than 1 in a million.

I know—it feels like the opening scene of a spy movie, but this ceremony is real.

It’s called the Root Signing Ceremony, and it’s an essential part of how we keep the internet safe and trustworthy.

Every time you visit a website, your computer asks, “Is this really the site I meant to reach?” The answer comes from the Domain Name System—the internet’s address book. But like any address book, it only works if you can trust it hasn’t been tampered with.

That’s why this ceremony exists.

At each event, a new set of digital keys is created and secured using a special device that’s completely cut off from the internet. These keys help verify that the answers your browser gets are real, not fake or redirected by an attacker.

Every step—every click, every signature, every seal—is recorded, checked by multiple people, and streamed live to make sure no one can cheat the system.

You may never see it—but it’s one of the reasons you can safely bank, shop, or read this newsletter online.

Without this ceremony DNSSEC (the security extension that protects the Domain Name System) wouldn’t work.

And neither would the secure web you’re using right now.

P.S. If you’re curious, here’s the full 3h40min recording of the ceremony. It’s incredibly interesting, but I guess a spy movie is more entertaining.

I’ve worked in the domain name industry for years, and I’m still struck by how something so essential can be both incredibly complex and almost completely invisible.

We use domain names every day and yet, most people have no idea how they work, who manages them, or what keeps them secure.

That’s why I’m writing this: the systems that hold up the internet (the very internet we use everyday) shouldn’t feel like background magic. They’re built by people. Maintained by rituals. And shaped by incentives we rarely talk about.

If we want the internet to stay open, safe, and human, we need more people who understand the foundations. Not the technical details, necessarily—but the structure, the logic, and yes, the politics behind it all.

So today we’re talking about the hidden industry behind domains name.

Who does what?

At its core, the domain name system is a global, distributed directory that tells your device where to go when you type something like example.com.

Here’s who does what behind the scenes:

🏛 ICANN

The Internet Corporation for Assigned Names and Numbers oversees the system globally.

  • Sets the rules
  • Coordinates who runs each domain extension (like .com, .org, .blog)
  • Maintains the “root zone” – the authoritative list of all top-level domains

🏭 Registry

Manages a specific domain extension (just like Automattic manages .blog)

  • Keeps the master database
  • Runs the technical infrastructure
  • Doesn’t sell domains directly Examples: Verisign runs .com, PIR runs .org

🏪 Registrar

Sells domain names to the public (like GoDaddy, Namecheap, Google Domains)

  • Acts as a middle layer between users and registries
  • Offers customer support, DNS management, email, etc.
  • Must be accredited by ICANN

👤 Registrant

That’s you, if you’ve ever bought a domain.

  • You “rent” the domain (typically yearly)
  • You control where it points (your website, email, etc.)
  • You can transfer it, renew it, or let it expire

Bonus: DNSSEC & Root Signing Ceremonies

It’s the cryptographic layer that makes sure the answers from DNS can be trusted—even across the complex, distributed system we’ve just explored.

In short:

ICANN sets the rules → Registries manage the zones → Registrars sell to you → Registrant (you) control your domain → DNSSEC helps everyone trust the answers

Still with me?

(I know, the names are confusing — even seasoned professionals get them mixed up. We built the naming system of the internet and gave it names that no one can remember.)

Why it’s built this way

Originally, a single company—Network Solutions—controlled .com, .net, and .org.

There were no registrars, no choice, no competition.

Around 2000, that changed.

To avoid monopoly, the registry–registrar model was introduced.

One entity would manage the database (registry), and others would be allowed to sell to the public (registrars).

That’s when Verisign kept control of .com and .net (still does today) and .org was handed off to Public Interest Registry, to be managed as a non-profit.

Who’s in charge now?

At the top of the pyramid sits ICANN—the Internet Corporation for Assigned Names and Numbers.

It’s a nonprofit that coordinates everyone: registries, registrars, governments, technical operators.

ICANN doesn’t control the internet.

But it does something just as important: it maintains the root zone , the authoritative list of who’s responsible for every top-level domain (TLD), from .com to .blog to .pizza.

It accredits registrars, delegates TLDs to registries, and creates the policies that keep billions of DNS lookups working smoothly every second (including the ceremony we discussed at the beginning).

How TLDs work

There are generic TLDs (gTLDs) like .org, .info, .xyz, and country-code TLDs (ccTLDs) like:

  • .it for Italy
  • .fr for France
  • .jp for Japan
  • .fm for the Federated States of Micronesia

These country-code domains are often managed by telecommunications authorities, government agencies, or academic institutions in the country they represent.

But not always.

Some ccTLDs have been turned into commercial assets.

  • .co (Colombia) is marketed globally as an alternative to .com
  • .tv (Tuvalu) is used by streaming platforms and media companies
  • .fm (Micronesia) is used by radio stations and podcasts
  • .io (British Indian Ocean Territory) became popular with startups

In some cases, the country earns a share of the revenue. In others, the TLD is licensed through joint ventures with foreign companies.

And then there are the restricted TLDs—the ones you can’t just go out and register.

Some of the most well-known are:

  • .edu – reserved exclusively for accredited educational institutions in the United States. You can’t register a .edu unless you’re a recognized college or university.
  • .gov – only available to U.S. government agencies, from federal to local level.
  • .mil – short for “military”, used by the U.S. Department of Defense and its branches.
  • .int – for international treaty-based organizations like NATO or the UN.

It’s a mix of public governance and private business—wrapped around a critical piece of global infrastructure.

Every few years, ICANN opens an application process to create new TLDs. That’s how we got extensions like .app, .blog, .ninja, and .bank. The process is long, expensive, and highly regulated—because each new TLD becomes part of the internet’s core naming structure.

While the system is far from perfect, it’s what allows the web to stay globally distributed, locally relevant, and mostly coherent.

The web works because a complex, highly structured system quietly does its job. It’s run by people you’ve never heard of, doing things you didn’t know existed, to protect something you use every day.

Not bad, for a bunch of dots, uh?

That’s it for today, see you next week.

Signature of Paolo Belcastro

If someone forwarded this to you, you can subscribe.

I also publish on paolo.blog and monochrome.blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also enjoy…