DNS Governance and Management

The internet has no single owner. DNS has no single controller. And yet, somehow, it works. The governance structure that makes this possible is a layered system of organizations, contracts, and technical standards — and it's more fragile, more political, and more interesting than most engineers realize.

The Chain: IANA to ICANN to You

IANA

The Internet Assigned Numbers Authority (IANA) is the technical custodian of the DNS root. It maintains the root zone — the authoritative source for all TLD delegations — and the databases of port numbers, protocol parameters, and IP address allocations.

IANA is today a function operated by ICANN, but historically it was an informal arrangement centered around Jon Postel at USC's Information Sciences Institute. For much of the internet's formative period, the root zone was essentially maintained by one person. The transition to institutional governance happened gradually through the 1990s and culminated in the ICANN structure.

The root zone file is publicly accessible:

https://www.iana.org/domains/root/files

It lists every TLD, the authoritative nameservers for each, and when the delegation was last modified. As of 2024, there are roughly 1,500 TLDs in the root.

ICANN

The Internet Corporation for Assigned Names and Numbers. A non-profit corporation incorporated in California in 1998, operating under a multi-stakeholder governance model involving governments, businesses, civil society, and technical experts.

ICANN's role in DNS:

Policy development for generic TLDs
Contracts with TLD registries and registrars
IANA functions (since 2016, under the "IANA Stewardship Transition")
Dispute resolution for domain disputes (the UDRP process)
Oversight of new TLD applications

The multi-stakeholder model means ICANN isn't directly controlled by any government — but that doesn't mean it's free from political influence. The US government historically had special oversight (NTIA's role with IANA). The 2016 transition changed this, and the relationship between ICANN and national governments remains contested.

From inside the industry: ICANN's policy process is slow, heavily lobbied, and often produces outcomes that favor incumbent operators over the public interest. That's not unique to ICANN — it's what happens when technical governance gets institutional.

TLD Registries

A registry operates the zone for a TLD. They maintain the authoritative database of second-level domain registrations and operate the TLD nameservers.

Notable registries:

Verisign: .com, .net — the largest TLD registry by volume
Public Interest Registry (PIR): .org
Afilias / Identity Digital: .info, .biz, and many new gTLDs
RESTENA Foundation: .lu (Luxembourg's ccTLD)
Nominet: .uk

Registries don't sell directly to end users. That's what registrars do. Registries wholesale to accredited registrars, who retail to domain buyers.

ccTLD registries operate under varying arrangements. Some (like .lu) are government-affiliated. Some (like .io, .tv, .cc) are operated commercially. The standards they enforce, their pricing, and their policies vary widely. .io registration revenue going to the British government (technically the British Indian Ocean Territory) while developers buy it for "input/output" connotations is an entertaining edge case of ccTLD economics.

Registrars

A registrar is an entity accredited by ICANN (for gTLDs) or by the relevant ccTLD registry to register domains on behalf of customers. They're the front-line interface between domain owners and the registration system.

The registrar's technical job: accept registration requests, manage the registry protocol (EPP — Extensible Provisioning Protocol, RFC 5730+), maintain customer data, and provide DNS services (often optional — you can point to any nameservers you want).

EuroDNS (where Anouar spent a decade as CTO) is a European registrar accredited by ICANN and contracted with dozens of ccTLD registries. Building registrar infrastructure means implementing EPP for each registry, managing domain lifecycle states (pendingCreate, active, pendingDelete, redemptionPeriod), handling transfer disputes, and dealing with each registry's custom policies.

The registrar-to-registry relationship is the EPP protocol:

<!-- A simplified EPP domain check -->
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <check>
      <domain:check xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>example.com</domain:name>
      </domain:check>
    </check>
  </command>
</epp>

How a New TLD Gets Created

ICANN has run two major new gTLD programs. The first, in the early 2000s, added a handful of TLDs (.info, .biz, .name, .pro). The second, starting with applications in 2012, was a massive expansion — ICANN received 1,930 applications and ultimately delegated over 1,200 new TLDs.

The 2012 process:

Application window (January-May 2012). $185,000 application fee.
Initial evaluation by ICANN staff
String contention (multiple applicants for the same TLD go through auctions or private agreements)
Community and governmental objections reviewed
Registry agreement signed
Technical delegation to root
Launch: typically sunrise (trademark holders first), landrush, then general availability

The process from application to delegation took 2-7 years depending on the string. .app (applied for by multiple parties, ultimately won by Google) took until 2018.

A controversial outcome: ICANN's auction revenue from contended strings exceeded $230 million. Much of it sat in a fund for years with contested governance over how to spend it.

The lesson from inside the industry: new TLD programs benefit existing registries and well-capitalized applicants. The $185,000 application fee was a deliberate barrier. Most successful operators were existing DNS industry players or technology companies with specific brand or business reasons for a TLD.

WHOIS: A Protocol in Decline

WHOIS is a 40-year-old protocol (RFC 954, 1985) that exposes registration data for domain names. Query a WHOIS server, get the registrant name, address, email, nameservers, and registration dates.

whois github.com
# Domain Name: GITHUB.COM
# Registry Domain ID: 1264983250_DOMAIN_COM-VRSN
# Registrar WHOIS Server: whois.markmonitor.com
# Registrar URL: http://www.markmonitor.com
# Updated Date: 2022-09-07T09:10:29Z
# Creation Date: 2007-10-09T18:20:50Z
# ...

WHOIS has two major problems:

No standardization: Every registry implements WHOIS differently. Query formats differ. Response formats differ. Parsing WHOIS output programmatically is a mess of regular expressions and edge cases. There's no consistent schema.

GDPR: The EU's General Data Protection Regulation (2018) required registrars to stop publishing personal data in WHOIS without consent. The result: most WHOIS records now show the registrar's address instead of the registrant's. WHOIS for privacy-protected domains is a redacted shell of itself.

RDAP: The WHOIS Replacement

Registration Data Access Protocol (RDAP) is the modern replacement for WHOIS. RFC 7480-7484 (2015), with ongoing work by the IETF REGEXT working group.

RDAP is:

HTTP/JSON-based: Structured, parseable data
Standardized: The same query format works across all registries
Tiered access: Different levels of data available depending on authorization
Bootstrapped: A global bootstrap mechanism tells you which RDAP server handles any given TLD or IP block

Query a domain via RDAP:

curl -s https://rdap.verisign.com/com/v1/domain/github.com | python3 -m json.tool

Or using the global bootstrap:

curl -s https://rdap.org/domain/github.com | python3 -m json.tool

ICANN mandated RDAP compliance for gTLD registries and registrars by August 2019. Most implementations exist, but data completeness varies. RDAP hasn't fully replaced WHOIS in practice yet — the transition is ongoing.

Who Actually Controls DNS

This is the question that sounds paranoid until you think about it.

Technically: no single entity controls DNS. The hierarchy distributes authority. Changes to .com require Verisign. Changes to the root zone require IANA. Changes to your domain require your registrar.

Practically: a small number of entities have enormous influence. Verisign controls .com and .net, the two largest TLDs. A handful of large registrars (GoDaddy, Namecheap, Network Solutions) handle a majority of registrations. Cloudflare runs a significant fraction of authoritative DNS globally.

Legal controls are real: domain seizures happen. Law enforcement can compel registrars to transfer or suspend domains. ICANN's UDRP allows trademark holders to claim domains through an arbitration process. In 2010, the US government seized several domain names via court orders that redirected them to law enforcement pages — using the same DNS infrastructure you use to run your website.

The governance isn't just technical. It's geopolitical. ICANN's California incorporation and historical ties to US government oversight give the US structural influence. Russia and China have both developed national "alternative" DNS systems (though nothing that actually replaces global DNS for most purposes — the network effects of the existing system are too strong).

For most operators: the practical implication is to take registration security seriously. Domain theft happens. DNSSEC signing matters. Registrar-lock your important domains. And don't assume that DNS persistence is guaranteed indefinitely — contracts expire, registries change operators, and a sufficiently motivated adversary can disrupt your DNS through legal or technical means.

Key Takeaways

The chain is IANA (root zone) → ICANN (policy) → registries (TLD zones) → registrars (domain registration) → you.
ICANN is not a government but is heavily influenced by governments. Its policies reflect industry lobbying as much as public interest.
WHOIS is dying. RDAP is its JSON-based replacement with standardized data structures. The transition is in progress.
Domain control has legal dimensions beyond technical DNS. Registrar lock and DNSSEC protect against hijacking; neither protects against state-level legal action.

Up Next

Enough theory. Let's set up an actual DNS server, write a zone file, and test it with dig. The things you learn from running your own nameserver don't come from reading.