How Are Top Level Domains Managed by ICANN?

The Full Inside Story of How .com, .org, .africa, and Every Other Domain Extension Is Created, Governed, and Kept Running for the Entire Planet
Contracts, Policies, Root Zone Management, and the Multi-Stakeholder Framework Behind Every Domain Extension on the Internet

Think about the last website you visited. Whatever the address was — whether it ended in .com, .org, .ng, .uk, .shop, or any other extension — that extension did not just appear. It was created, delegated, governed, and maintained through a structured system that ICANN coordinates at the global level.

Top-Level Domains — the part of a web address that comes after the last dot — are the internet’s namespace infrastructure. They are how the entire global internet stays organized, navigable, and free of naming conflicts. Without a coherent management system, two websites could claim the same address, the DNS would become chaotic, and global internet connectivity would collapse.

ICANN’s role in managing top-level domains is one of the most important — and most misunderstood — aspects of how the internet is governed. This guide breaks down exactly what ICANN does, how it does it, and what policies govern the entire TLD management system.

💡  The Direct Answer:  ICANN manages top-level domains through a combination of policy development, root zone management via its IANA function, contractual frameworks with registry operators, and a multi-stakeholder governance process that determines how the TLD namespace grows and evolves. ICANN does not operate TLDs itself — it coordinates the system that makes all TLDs work together globally.

What Is a Top-Level Domain — and Why Does It Matter?

A Top-Level Domain (TLD) is the highest level in the hierarchical Domain Name System. It is the string that appears to the right of the last dot in any domain name. In “example.com”, the TLD is .com. In “government.ng”, it is .ng. In “store.shop”, it is .shop.

TLDs matter because they are the organizing labels of the entire internet’s address space. They tell the DNS where to look for authoritative information about domain names registered under them. Without TLDs, the DNS cannot function. Without a globally coordinated TLD management system, every country and company could create conflicting extensions that would break global connectivity.

There are two primary categories of TLDs, and ICANN manages them in meaningfully different ways. Understanding this distinction is essential to understanding how the TLD management system works.

The Two Main Categories: gTLDs and ccTLDs

Generic Top-Level Domains (gTLDs)

Generic Top-Level Domains are extensions that are not tied to any specific country or territory. The legacy gTLDs — .com, .net, .org, .edu, .gov, .mil — were the internet’s original extensions, created in the 1980s when the DNS was first established. They were designed for general or sector-specific use: .com for commercial entities, .org for nonprofits, .edu for educational institutions, and so on.

ICANN has direct contractual authority over all generic TLDs. Every gTLD registry operator — the organization that runs the back-end database for a gTLD — must sign a Registry Agreement with ICANN as a condition of operating the extension. This agreement sets binding requirements for how the registry must be operated, what security standards must be met, and how ICANN can enforce compliance.

Since 2012, ICANN has also managed an ambitious new gTLD expansion program that has added over 1,200 new extensions to the internet — including .shop, .tech, .africa, .bank, .app, .google, and hundreds of others. This expansion dramatically diversified the internet’s namespace and created new opportunities for brands, communities, and geographic regions to have dedicated internet extensions.

Country-Code Top-Level Domains (ccTLDs)

Country-code Top-Level Domains are two-letter extensions assigned to specific countries and territories under the ISO 3166-1 alpha-2 standard. Every recognized country and territory on Earth has one: .uk for the United Kingdom, .de for Germany, .ng for Nigeria, .jp for Japan, .br for Brazil, .au for Australia, and so on.

ICANN’s relationship with ccTLDs is fundamentally different from its relationship with gTLDs. ccTLDs are delegated to national registries — usually government agencies or designated national organizations — through ICANN’s IANA function. The delegation is documented in the DNS Root Zone, and the national registry is then responsible for operating the ccTLD under its own policies and legal framework.

This means that ccTLD registries generally have significant autonomy to set their own registration policies, pricing, and operational standards. ICANN does not contract with ccTLD registries the way it does with gTLD registries. However, ICANN maintains a relationship with ccTLD operators through the Country Code Names Supporting Organization (ccNSO), and changes to ccTLD delegations — including redelegations to new operators — go through ICANN’s IANA function following established criteria.

Key Distinction:  gTLDs are directly contracted and regulated by ICANN. ccTLDs are delegated by ICANN’s IANA function but are largely self-governing under national authority. This is why registering a .com involves ICANN-contracted parties at every step, while registering a .uk domain is governed primarily by Nominet UK’s own policies with ICANN’s role limited to maintaining the root zone delegation.

How ICANN Actually Manages the TLD System: Five Interlocking Functions

ICANN’s management of top-level domains is not a single activity — it is a system of five interconnected functions that collectively ensure the TLD namespace is coordinated, secure, and governed in the public interest.

Function 1: The DNS Root Zone — The Master Registry of All TLDs

The foundation of ICANN’s TLD management is the DNS Root Zone database, maintained through ICANN’s IANA function. This database is the authoritative master record of every TLD that exists on the internet — its name, its authoritative name servers, its DNSSEC signing keys, and its delegation status.

Every time a new TLD is created — whether a new gTLD approved through the new gTLD program or a ccTLD added when a new country is recognized — its entry is added to the root zone database. Every time a TLD’s name servers change, or when a ccTLD is redelegated to a new national registry, that change is processed through the IANA function and published in the root zone. The root zone is served by 13 sets of root server addresses, operated by 12 independent organizations globally, making TLD information available to resolvers everywhere on Earth.

The integrity of the root zone is also protected by DNSSEC — and ICANN manages the Root Zone Key Signing Key (KSK), the master cryptographic key that anchors the trust chain for the entire DNS. This means ICANN’s role in the root zone is not just administrative but also cryptographic: ICANN is the ultimate source of authenticated trust in the global domain name system.

Function 2: Registry Agreements — The Legal and Operational Framework for gTLDs

For every ICANN-contracted gTLD, the relationship between ICANN and the registry operator is governed by a Registry Agreement — a detailed legal contract that defines the rights and obligations of both parties. These agreements are not optional: operating a contracted gTLD without a Registry Agreement with ICANN is not permitted.

Registry Agreements are comprehensive documents covering a remarkable range of operational, security, and policy requirements. Registry operators must maintain 24/7 DNS resolution for their TLD at defined service levels, implement DNSSEC signing of their zone, operate WHOIS and RDAP services providing registration data to the public, maintain an anti-abuse policy and respond to documented DNS abuse reports, deposit registration data in escrow to protect registrants if the registry fails, and comply with all ICANN consensus policies developed by the GNSO.

The Registry Agreement also defines ICANN’s enforcement authority. If a registry operator fails to meet its contractual obligations, ICANN’s Contractual Compliance team can issue formal notices of non-compliance, require corrective action plans, and ultimately — in cases of persistent material breach — terminate the registry agreement and transition the TLD to a new operator.

Function 3: The GNSO Policy Development Process — Community-Made TLD Rules

ICANN does not make TLD policy unilaterally. The policies that govern how domain names under generic TLDs are registered, transferred, managed, and protected are developed through the Generic Names Supporting Organization’s multi-stakeholder Policy Development Process (PDP).

In practice, this means that every major policy affecting gTLD operations — from the rules governing domain name transfers between registrars, to the privacy protections required for WHOIS data, to the criteria for approving new gTLD applications — goes through a structured community deliberation involving registries, registrars, intellectual property interests, civil society, governments, and individual users. Working groups with open membership deliberate over months or years to reach consensus positions, which are then recommended to the GNSO Council, voted on, and forwarded to the ICANN Board for formal adoption as ICANN policy.

This process ensures that TLD management policies reflect the interests of the full internet community rather than any single commercial or governmental interest. It is slower and more complex than top-down rule-making, but it produces policies that are better understood, more widely accepted, and more practically effective because the people who will have to implement them helped develop them.

Function 4: The New gTLD Program — Expanding the TLD Namespace

One of ICANN’s most significant TLD management activities is administering the New gTLD Program — the process through which new domain extensions can be applied for, evaluated, approved, and delegated. Before 2012, the internet had just 22 generic TLDs. The New gTLD Program was designed to address concerns about namespace scarcity and to create opportunities for more specific, meaningful, and multilingual domain extensions.

The program is administered through a detailed Applicant Guidebook that governs every aspect of the application process, from eligibility requirements and application fees to the evaluation criteria and objection grounds. Round 1, which opened in 2012, received 1,930 applications and resulted in over 1,200 new TLD strings being delegated into the root zone. Round 2, opening in 2026, will represent the next wave of namespace expansion.

ICANN’s management of the new gTLD program involves coordinating across multiple teams: policy staff process applications and evaluate them against guidebook criteria, the IANA function handles root zone delegation, the Contractual Compliance team monitors ongoing registry performance, and the GNSO develops the policy framework that governs subsequent rounds. The program is a demonstration of how ICANN manages TLDs not just as an operational coordinator but as a policy architect shaping the future of the internet’s namespace.

Function 5: Compliance and Enforcement — Making TLD Management Stick

TLD management is not only about creating rules and signing contracts — it is also about enforcing them. ICANN’s Contractual Compliance team is responsible for monitoring whether registry operators and registrars are meeting their contractual and policy obligations, investigating complaints, and taking formal enforcement action when they are not.

The compliance function covers a wide range of potential violations: from registrars that fail to maintain accurate WHOIS data, to registries that do not respond to documented DNS abuse reports within contractually required timeframes, to registry operators that fail to meet service level agreements for DNS resolution availability. Complaints can be submitted by any party — registrants, brand owners, security researchers, or the general public — through ICANN’s compliance reporting system at icann.org/resources/compliance.

When a violation is substantiated, ICANN issues a formal Notice of Breach to the non-compliant party, requiring corrective action within a defined timeframe. If the breach is not remedied, ICANN can escalate to financial penalties, restrictions on new registrations, or ultimately termination of the Registry Agreement or registrar accreditation. This enforcement capability is what gives ICANN’s TLD management framework genuine authority rather than merely aspirational guidelines.

🔑  Why Enforcement Matters:  ICANN’s compliance and enforcement function is what makes the entire TLD management system credible. Without it, Registry Agreements would be unenforceable suggestions. The threat of compliance action — and its occasional exercise — is what ensures that the 1,500+ TLD operators and 2,000+ registrars in ICANN’s ecosystem actually meet the standards the community has set.

The Policy Architecture Behind TLD Management

The TLD management system is not just operational — it is built on a comprehensive policy architecture that governs everything from how domain names can be registered to how disputes are resolved. Understanding the key policies that ICANN develops and enforces is essential to understanding how top-level domains are managed in practice.

The Registrar Accreditation Agreement (RAA) governs the companies that sell domain names to the public. Every ICANN-accredited registrar — from large commercial platforms like GoDaddy and Namecheap to small regional registrars — operates under this agreement. The RAA sets standards for WHOIS data accuracy, abuse response, data escrow, registrant protections, and transfer authentication. The 2013 RAA update significantly strengthened security and compliance requirements across the entire registrar ecosystem.

The Registry Agreement’s Specification 11 is the key policy instrument for DNS abuse. It requires all ICANN-contracted gTLD registries to maintain a published anti-abuse policy, operate an abuse point of contact, and take action against documented DNS abuse within defined timeframes. Combined with the DNS Abuse Framework that ICANN introduced in 2021 — which provides shared definitions of the five categories of DNS abuse (phishing, pharming, malware, botnets, and spam used to facilitate abuse) — this creates a binding minimum standard for abuse response across the entire contracted TLD ecosystem.

The Uniform Domain-Name Dispute-Resolution Policy (UDRP) governs how trademark owners can challenge bad-faith domain registrations across all ICANN-contracted gTLDs. Introduced in 1999 and administered through independent dispute resolution providers including WIPO, the UDRP has handled over 60,000 cases. Its companion policy, the Uniform Rapid Suspension (URS) system, provides a faster and cheaper mechanism for clear-cut trademark infringement cases in new gTLDs, allowing suspension within days rather than weeks.

The Registration Data Policy governs what information domain name registrants must provide when registering a domain, how that information is stored and validated, and who can access it and under what conditions. This policy has been substantially reformed in recent years to address the tension between WHOIS transparency — which benefits security researchers, law enforcement, and brand protection — and data protection requirements under frameworks like the European GDPR. The resulting RDAP (Registration Data Access Protocol) framework represents a carefully balanced multi-stakeholder outcome that has shaped how domain registration data is managed globally.

Top Level Domains and ICANN: Key Facts at a Glance

TLD + ICANN Fact	Detail
Total TLDs in root zone	1,500+ TLD entries in the DNS Root Zone as of 2026
Legacy gTLDs	22 original generic TLDs including .com, .net, .org, .edu, .gov, .mil
New gTLDs delegated	1,200+ new extensions delegated since the 2012 New gTLD Program round
ccTLDs total	316 country-code TLDs — one for every ISO 3166-1 alpha-2 recognized country/territory
Domain registrations governed	360+ million domain registrations under ICANN’s contracted gTLD framework
Accredited registrars	2,000+ ICANN-accredited registrars authorized to sell domain names globally
UDRP cases	60,000+ domain name disputes adjudicated under the UDRP since 1999
New gTLD Round 2	Second gTLD application round opened 2026 — next major namespace expansion
Root zone DNSSEC KSK	ICANN manages the master cryptographic key securing the entire DNS trust chain
Compliance reports	ICANN handles thousands of compliance reports annually on registrar and registry behavior

UNIQUE FEATURE:  The TLD Lifecycle — From Idea to Internet and Beyond

The TLD Lifecycle: How a New Domain Extension Goes From Idea to Internet?

Most people encounter TLDs only when they register a domain name. But behind every extension — whether it is a decades-old legacy like .com or a brand-new string like .africa — there is a complete lifecycle that ICANN coordinates from beginning to end.

The lifecycle begins with the idea stage, where an organization decides it wants to operate a new TLD. Before any application is submitted, serious applicants spend months building their business case, assembling technical infrastructure plans, demonstrating financial capability, and developing their registry model — whether they plan to serve a broad public market (like .shop), a defined community (like .catholic), or operate as a brand registry (like .google).

The application phase opens when ICANN launches an application window — a defined period, typically three to four months, during which organizations can formally apply. Applications are detailed and expensive: Round 1 required a base fee of US$185,000 and comprehensive documentation of technical, operational, and financial capability. Applications that cannot demonstrate genuine readiness to operate internet infrastructure are not approved, regardless of how appealing the string itself might be.

Once submitted, applications go through ICANN’s multi-stage evaluation process. Administrative and legal evaluation confirms the applicant’s eligibility and organizational integrity. Technical and operational evaluation assesses whether the applicant has the infrastructure and expertise to operate a TLD reliably at internet scale. If multiple applicants want the same string, ICANN manages a string contention resolution process that may involve community priority evaluation, private negotiation, or auction.

After clearing evaluation, an approved applicant negotiates and executes a Registry Agreement with ICANN. This is the binding contract that gives the registry operator the right to operate the TLD — and commits them to all of ICANN’s operational, security, and policy requirements. Pre-delegation technical testing then verifies that the registry’s DNS infrastructure is actually ready before the string is inserted into the root zone.

Delegation — the moment the new TLD appears in the DNS Root Zone — is when the extension becomes live on the internet. From that point, the registry typically runs a Sunrise period (allowing trademark holders to register before the general public), followed by a Landrush period (early access for interested registrants), and finally General Availability (open to anyone meeting the registry’s eligibility criteria). The TLD’s ongoing operation is then monitored by ICANN’s Contractual Compliance team for the duration of the Registry Agreement.

🔄  The Ongoing Relationship:  Once a TLD is delegated, ICANN’s management role does not end — it shifts. ICANN monitors registry performance through compliance processes, develops new policies through GNSO working groups that apply to existing registries, coordinates security incidents through the SSAC and security teams, and manages root zone changes when registries update their name servers or DNSSEC keys. TLD management is a continuous relationship, not a one-time transaction.

Frequently Asked Questions

Q1: Does ICANN actually operate domain name registries like .com or .ng?

No. ICANN does not operate domain registries directly. ICANN’s role is to coordinate the TLD management system — setting policies, maintaining the root zone database through its IANA function, and contracting with registry operators. The actual day-to-day operation of TLD registries is done by independent organizations: Verisign operates .com and .net, PIR (Public Interest Registry, a subsidiary of the Internet Society) operates .org, Nominet operates .uk, and so on for every TLD. ICANN sets the rules and monitors compliance — the registry operators run the databases.

Q2: What is the difference between a registry operator and a registrar, and how does ICANN relate to both?

A registry operator manages the authoritative database for a TLD — it maintains the master list of all domain names registered under that extension and operates the DNS servers that make those names resolvable. A registrar is an ICANN-accredited company that sells domain name registrations to end users (individuals and businesses). Registrars query the registry’s database to check availability and submit registrations. ICANN contracts with both: registry operators sign Registry Agreements, and registrars sign Registrar Accreditation Agreements. Most domain owners interact with registrars (like GoDaddy or Namecheap) rather than with registries or ICANN directly.

Q3: Can any organization apply to operate a new top-level domain, and what does it cost?

Any organization — a company, nonprofit, government, or community group — with the technical capability, financial resources, and legitimate purpose can apply to operate a new gTLD when ICANN opens an application window. The base application fee for Round 1 was US$185,000, with additional costs for evaluation, dispute resolution, and Registry Agreement negotiation. The total investment to apply, evaluate, and launch a new TLD typically runs into the hundreds of thousands of dollars before the first domain is ever sold. Round 2 (2026) has a revised fee structure. The high cost and technical requirements mean that successful applicants are generally well-resourced organizations with genuine operational capability.

Q4: How does ICANN handle disputes over domain names or TLD strings?

ICANN manages domain name disputes through two primary mechanisms. The Uniform Domain-Name Dispute-Resolution Policy (UDRP) handles trademark-based disputes over specific domain registrations — allowing brand owners to challenge bad-faith registrations through independent arbitration providers like WIPO, without going to national courts. The Uniform Rapid Suspension (URS) system provides a faster mechanism for clear-cut infringement cases. For TLD string disputes during the new gTLD application process, ICANN manages an objection system with four grounds: string confusion, legal rights, limited public interest, and community objection — heard by designated dispute resolution providers.

Q5: What happens to a TLD and all its registered domains if a registry operator fails or goes out of business?

ICANN has built data escrow requirements into all Registry Agreements specifically to address this risk. Registry operators must deposit copies of their full registration database with an ICANN-approved escrow agent on a regular basis. If a registry operator fails, ICANN can use the escrowed data to transition the TLD — and all its registered domains — to a new registry operator without any disruption to domain name resolution. This continuity protection is one of the most important elements of ICANN’s TLD management framework, ensuring that domain owners are not left without their registered names because of a registry’s business failure.

Every Domain Extension Tells a Story. Now You Know How It Begins.

ICANN’s management of top-level domains is one of the most consequential and least understood aspects of how the internet works. From the root zone that anchors global DNS to the Registry Agreements that govern every contracted TLD, from the new gTLD program that keeps expanding the namespace to the compliance function that enforces the rules — ICANN’s TLD management system is what makes a globally coordinated internet possible.

Whether you are a domain registrant, a network professional, a policymaker, or simply someone who uses the internet — understanding this system makes you a more informed participant in the digital world. Here is how to go deeper:

Explore, Learn, and Get Involved

• Explore the full root zone at iana.org/domains/root/db — every TLD on the internet
• Learn DNS and TLD fundamentals free at learn.icann.org — Introduction to ICANN course
• Follow new gTLD Round 2 developments at newgtlds.icann.org
• Submit TLD compliance complaints at icann.org/compliance/complaint
• Participate in GNSO TLD policy working groups at gnso.icann.org
• Apply for ICANN Fellowship at icann.org/fellowships — engage in TLD policy directly

The domain extension you use every day is the result of a governance system that took decades to build. It is worth understanding — and worth participating in.