Sea levels, search engines, security risks and ccTLDs

Not all domains are what they seem and yours could be in trouble. Are new gTLDs any better?

Intro

All 2 letter TLDs (top-level domains) are ccTLDs (country-code top-level domains) and every country has their own based on the ISO-3166 standard. Individual governments have a lot of say in how theirs is used, control over how it’s technically managed and the freedom to profit from their sales.

Most countries will create regulated namespaces and then offer others for general sale. For example, in the United Kingdom, there are regulated domains such as .gov.uk, .mod.uk, .ac.uk and then generally available spaces such as .co.uk and .org.uk. Since 2014, the top level .uk domain name directly has also been generally available so long as the registrant has a UK presence.

Some countries hit the jackpot with internationally desirable domain names like .tv (Tuvalu), .ai (Anguilla), .gg (Guernsey), .me (Montenegro), .io (British Indian Ocean Territories), .so (Somalia), .co (Colombia), .fm (Micronesia) and .ly (Libya). Realising the potential, many offer these for sale internationally without restrictions. You have almost certainly seen huge brands using these, perhaps without realising, as so-called “domain hacks” like twitch.tv, x.ai, discord.gg, notion.so, about.me, last.fm, bit.ly and so on. You might have also ended up at one by mistake!

As appealing as these short and more available domains may be, these country codes come with risks and considerations that are not as present on classic gTLDs (generic top-level domains) such as .com, .net, .org and new gTLDs like .codes, .xyz, .online, .app (although these come with some additional considerations too, I’ll get to that!).

ccTLD map

There’s so many! Trust me, I know, I had to make all these icons and put them there. 😅 The colours don’t mean anything, just decoration. In hindsight, that was a bit confusing, but no way I’m changing them all now.

So, you found a perfect domain name, but it’s a ccTLD; what’s actually the problem? Well…

An important distinction for the rest of the article is a domain registry vs. a domain registrar.

A domain registry is the company that operates the TLD. The governments will appoint a company to act as the registry in most cases. In the UK, that company is Nominet. They set the rules, the wholesale price and manage the technical aspects of a domain such as its nameservers and WHOIS.

A domain registrar is the company that sells you your domain name, usually with a small markup on the wholesale registry cost. Registries usually do not sell to end-users directly, a domain registrar such as Namecheap, Porkbun and Cloudflare Domains have agreements with registries to sell domains on their behalf.

Registration requirements

First and foremost, are you eligible to register this domain name at all? Several ccTLDs have resident or business license requirements.

There are services and registrars that will offer an agency/trustee service for the purpose of circumventing registry requirements, but that could be an additional layer of risk to your domain. Having the correct registration details is crucial if you ever need to contact the top level registry (the company operating the ccTLD) to save your domain from a failed/misbehaving registrar or respond to any trademark disputes/abuse reports.

List of ccTLDs with registration requirements

This is a non-exhaustive list, check the registry of yours to be sure!

TLDCountryRegistration Requirements
.aeUnited Arab EmiratesResidents and businesses with a UAE trade license
.agAntigua and BarbudaIndividuals or businesses with a registered address in Antigua and Barbuda
.aiAnguillaIndividuals or businesses with a registered address in Anguilla
.alAlbaniaIndividuals or businesses with a registered address in Albania
.amArmeniaIndividuals or businesses with a registered address in Armenia
.atAustriaIndividuals or businesses with a registered address in Austria
.auAustraliaResidents and businesses with an Australian presence
.beBelgiumIndividuals or businesses with a registered address in Belgium
.bgBulgariaIndividuals or businesses with a registered address in Bulgaria
.brBrazilIndividuals or businesses with a Brazilian tax ID (CPF or CNPJ)
.caCanadaCanadian citizens, permanent residents, or organizations with a Canadian presence
.chSwitzerlandIndividuals or businesses with a registered address in Switzerland
.clChileIndividuals or businesses with a Chilean tax ID (RUT)
.cnChinaIndividuals or businesses with a Chinese presence
.co.ukUnited KingdomIndividuals or businesses with a UK presence
.deGermanyIndividuals or businesses with a registered address in Germany
.dkDenmarkIndividuals or businesses with a registered address in Denmark
.esSpainIndividuals or businesses with a registered address in Spain
.euEuropean UnionIndividuals or organizations within the EU or its territories
.fiFinlandIndividuals or businesses with a registered address in Finland
.frFranceIndividuals or businesses with a registered address in France
.grGreeceIndividuals or businesses with a registered address in Greece
.hkHong KongIndividuals or businesses with a Hong Kong presence
.huHungaryIndividuals or businesses with a registered address in Hungary
.ieIrelandIndividuals or businesses with a registered address in Ireland
.ilIsraelIndividuals or businesses with an Israeli presence
.inIndiaIndividuals or businesses with an Indian presence
.itItalyIndividuals or businesses with a registered address in Italy
.jpJapanIndividuals or businesses with a Japanese presence
.krSouth KoreaIndividuals or businesses with a Korean presence
.ltLithuaniaIndividuals or businesses with a registered address in Lithuania
.luLuxembourgIndividuals or businesses with a registered address in Luxembourg
.lvLatviaIndividuals or businesses with a registered address in Latvia
.mxMexicoIndividuals or businesses with a Mexican presence
.nlNetherlandsIndividuals or businesses with a registered address in the Netherlands
.nzNew ZealandIndividuals or businesses with a New Zealand presence
.plPolandIndividuals or businesses with a registered address in Poland
.ptPortugalIndividuals or businesses with a registered address in Portugal
.ruRussiaIndividuals or businesses with a Russian presence
.seSwedenIndividuals or businesses with a registered address in Sweden
.sgSingaporeIndividuals or businesses with a Singapore presence
.trTurkeyIndividuals or businesses with a Turkish presence
.ukUnited KingdomIndividuals or businesses with a UK presence
.usUnited StatesIndividuals or businesses with a US presence
.vnVietnamIndividuals or businesses with a Vietnamese presence
Source: Wikipedia list (I know, check your registrar to be sure!)

Do note that even if your domain is available for general registration now, ccTLDs are not bound to the same agreements as gTLDs and individual governments can always change these requirements and your existing registrations may not be grandfathered in.

The risk of changing requirements

In 2010, China implemented stricter registration requirements for .cn domains, requiring additional documentation, such as company licenses or personal ID numbers.

In 2015, after an already rocky history and long shut down , the .so registry was transferred to the Somali Network Information Center which introduced new limitations on purchasing .so domain names by people not affiliated with Somalia.

Also in 2015, Russia passed a law requiring all .ru domain registrants to disclose their personal information to the government.

In 2018, the Venezuelan government seized control of the .ve domain registry and started implementing new requirements, including mandatory registration through government-approved registrars. In 2022, ICANN (stewards of the domain name system) revoked Venezuela’s control of .ve due to concerns about government interference.

On top of these more newsworthy changes, there are many examples of more spontaneous and targeted actions from ccTLD registries. In a fairly recent video by t3.gg, Theo talks about how his .gg domain (Guernsey) was spontaneously locked without prior contact for using a PO box which had previously been fine and how the knock-on effects on his email was nearly catastrophic.

Please note that above video contains some misunderstandings regarding new gTLDs such as .dev and how they may be as bad. They’re not, I’ll cover that more later! .dev will likely be fine, even with the sale of Google Domains.

In 2020, when the UK left the European Union, the European Commission decided that British citizens won’t be entitled to European domains (.eu) once the country left the bloc. 

It is easy to see how these fickle requirements, lack of strong oversight and the reliance on domains for things like emails and accounts could have wide reaching consequences for a business or individual. These issues are only compounded by the use of registry requirement satisfying agents, misleading WHOIS information and possibly even language barriers with registry support.

SEO (search engine optimisation)

So you’re eligible for your domain name and confident it’ll be stay that way, but there’s more to a name than just looks. If you’re rocking a ccTLD and not specifically targeting users only in that country, you may be in for a rough time when it comes to getting found in search engines.

Search engines use the country-code of a domain name as one of various geotargeting signals, so a .uk domain will have a harder time breaking in to an American market for example. Google will prioritise ranking in your relevant country which can be great if it’s correct and devastating if it’s not.

Generic country-code top-level domains

There are exceptions to the ccTLD geotargeting. Google publishes a list of what it calls “generic country-code top-level domains“; these are ccTLDs that Google treats as generic domains with no geotargeting signals. At the time of writing, that list includes:

.ad (Andorra), .ai (Anguilla), .as (American Samoa), .asia (Asia), .bz (Belize), .cc (Cocos (Keeling) Islands), .cd (Congo, Democratic Republic of the), .co (Colombia), .dj (Djibouti), .eu (European Union), .fm (Micronesia, Federated States of), .io (British Indian Ocean Territory), .la (Laos), .me (Montenegro), .ms (Montserrat), .nu (Niue), .sc (Seychelles), .sr (Suriname), .su (Soviet Union), .tv (Tuvalu), .tk (Tokelau), .ws (Samoa)

Google states this list is subject to change; domains could be added or removed at any time.

Bing says that it does use ccTLDs for location targeting, but I can’t find any info on whether they also exclude some of the more internationally used domains.

Abused domain names

Although Google has never explicitly stated that it deprioritises some TLDs except in the geotargeting cases above, some TLDs host a very high portion of spam and abuse content. I find it hard to believe that Google does not use this information as part of its complex algorithm and anecdotal evidence seems to support this. You can check your TLD on Spamhaus.

Reliability & security

You’ve passed the requirements and sure in your SEO, but should you put your business in the hands of your chosen registry? They are not all created equal. The domain name system is not magic or centrally operated and relies heavily on servers operated by individual domain registries (who manage the individual TLDs) to make sure your visitors get to the right place. You should also consider if the TLD supports newer DNSSEC security technology, many ccTLDs are yet to adopt.

ccTLDs are not under any contractual obligations or consensus policy requirements like gTLDs and many registries face extra challenges including:

  • Less resources and expertise – some ccTLDs are very small with a limited number of registrations, this means potentially less funding and staff to maintain the nameservers.
  • Government oversight – as ccTLDs are primarily controlled by governments, as with pretty much anything controlled by governments, there can be a lot of additional processes, delays and indecision at every level.

You should check the track record of any ccTLD registry you wish to use.

These issues don’t get in the way of every ccTLD registry, some boast very good track records. Nominet (.uk) boasts a 100% uptime. EURid (.eu), DENIC (.de) and JPRS (.jp) also rank very highly for reliability and innovation. You can find your domains registry in the ICANN database. Remember, this is regardless of which registrar you directly purchase your domain name from.

Expiration & grace periods

gTLDs have consistent grace periods and expiration processes with a generous 30 days expiration grace and 30 day redemption period. The same can not be said for ccTLDs which can be all over the place. Many country code domains follow the gTLD pattern, but there are outliers that can cause headaches for customers not prepared.

This list is non-exhaustive and may not be fully up to date/accurate, always check your terms with your registrar!

 TLDTerms and delete-by-date
.AMIt can be manually renewed but will delete 3 days before expiration.
.ATNo grace period or redemption. It will be deleted 4 days before expiration.
.BEAuto-renew only with no grace period has a 30-day redemption period if auto-renew fails. 
.ACIt can only be renewed one year at a time.
.CHDeletes ten days before expiry if not set to auto-renew.
.DEDeletes one day before expiration if not set to auto-renew.
.GSAuto-renew only deletes three days before expiration. 
.LIDeletes 10 days before expiry if not set to auto-renew.  
.NLDeletes 3 days before expiration.
.PLDeletes 3 days before expiration.
.TWDeletes 3 days before expiration.
.TK Deletes 3 days before expiration.
.IOAuto-renew only.
.CMDeletes 3 days before expiration. 
.FMNo grace or a redemption period.
.LANo grace or a redemption period.
.MNDeletes 2 days before expiration.
.MSCan only be renewed one year at a time, no grace or redemption period.
.PEDeletes 10 days before expiration. 
.NZ Deletes 3 days before expiration.
.PWAuto-renew only, 30-day grace and redemption period 
.SCNo grace or a redemption period.
.TMNo grace or a redemption period.
Source: enom

ccTLD reliability issues

There have been a number of fairly recent and high-profile reliability issues with ccTLD registries, far more than I can find with gTLDs who have more protections and regulations in place.

Political & geographic stability

Phew! You’re eligible for your domain, your SEO strategy is nailed and you’ve vetted your registry – but you’re not out of the woods yet. 😬

You must consider the laws and customs of the TLDs host country, many will enforce these on their registrations regardless of registrant location. Most domain registries will post a list of rules. .io for example prohibits adult content. Trademark and copyright policies are also inconsistent between ccTLD registries and losing your domain in a dispute is a real possibility.

Another thing with country code domains is that they need a country code. It might seem like worrying about a country disappearing is farfetched, but it’s happened before and may soon happen again. It doesn’t even need to disappear either, a name change could trigger the removal of the old domain too.

Tuvalu (.tv)

One of the most famous ccTLD stories is that of the Pacific island nation of Tuvalu. Tuvalu earns about 1/12th of its national income from licensing its .tv domain to Verisign and more recently GoDaddy. With its first $1 million, Tuvalu was able to cover its fees to join the United Nations.

.tv is a widely used domain name in the video space with over 450,000 registrations, probably most recognisable on streaming platform Twitch.tv, but its future is bleak.

As the country is in the midst of creating a metaverse clone of itself, rising sea levels due to climate change are creeping up on the low-lying archipelago. NASA predicts “much of their land area, along with critical infrastructure, will be below the average high tide by 2050”.

Without calling them out by name (but clearly referring to the .tv situation), ICANN has confirmed that if a country ceases to exist, so will its domain name.

In response to the situation “Island state disappears, but commercial Interests intended to keep ccTLD alive”, ICANN board member responded:

If the code element is removed, the ccTLD is eligible for retirement. Reason for removal is not of relevance.

British Indian Ocean Territories (.io)

The .io domain is favoured among the tech crowd for its input/output abbreviation, but it is in fact the country code domain of the British Indian Ocean Territories, an archipelago of over 1000 islands between Tanzania and Indonesia.

The United Kingdom expelled the Chagossian people from BIOT in the 1960s-70s to make way for a US military base, a move widely condemned as forced displacement. This injustice, coupled with ongoing legal battles for Chagossian resettlement, has raised ethical and stability concerns about the use of the .IO domain. Critics argue that by using this domain extension, businesses may inadvertently support a narrative that neglects or downplays the human and geopolitical disputes surrounding the territory.

Unlike in the case of Tuvalu, proceeds from the .io domain currently go to a private US company with an undisclosed licensing fee to the UK, but these sales are being contested as part of a complaint from former islanders.

In 2019, the UN confirmed Chagos archipelago as part of Mauritius’ territory. The court ruled the UK must return it to the Chagossians. The UK, however, insists on maintaining sovereignty over the islands.

Extinct domains

Those are just a couple of bubbling issues with country domain names, but not every ccTLD removal is hypothetical, there is precedent.

The .yu ccTLD was removed in 2010 after a transition period following the dissolution of Yugoslavia. In 2001, .zr was deleted following the renaming of the Democratic Republic of the Congo. In 1995, .cs was removed when Czechoslovakia split in the Czech Republic and Slovakia birthing the .cz and .sk domains respectively.

Uncertain times

I won’t speculate on any others, but we are living in uncertain times where the stability of a number of countries is a serious consideration. While the existence of a domain name pales in comparison to the threat of a countries existence, it is worth considering the potential ramifications on the domain name system that has become such an integral part of the way the world runs.

Should you choose a country-code domain (ccTLD)?

This isn’t a ccTLD hit piece. I love and am fascinated by the DNS technology. I care a lot about the longevity of the web and I think countries having their own TLDs to control is an essential part of the system.

Personally, I’ve been moving off of my previously used .me and .io domain names. As I learned more, I figured I didn’t want my digital presence and crucially my email accounts in the hands of the government and technical support of a country I had no connection to. I’ve moved my business site to .net, one of the original 5 domain names which remains very highly regulated and my personal site to .codes, one of the “new” gTLDs which also have reassuring protections not required of country code domains.

I’d still very happily recommend my business customers use a relevant ccTLD in their home country for locally-targeted businesses; in that case they are familiar, SEO-friendly and for stable countries usually well managed and priced.

When good .com domains are so hard to come by it is hard to blame anyone who can’t resist settling for a catchy exotic ccTLD instead. That being said, with the rollout of over 1000 new vanity gTLDs in the last 10 years, you probably don’t have to.

I’ll let you make your own mind up! 😄

In defence of “new” gTLDs

ICANN’s new gTLD program has had new domains rolling out from 2013 to a background of continued criticism and controversy [1, 2, 3, 4], but it’s not all bad. The creative naming possibilities and swipe at the monopoly of .com are reason enough to be cheerful.

Over a decade on and I get the feeling these new domains are becoming more publicly-acceptable (in the early days, it could be hard to convince a non-tech person that was a URL!) but even in tech literate circles there are still a lot of misconceptions floating about regarding how these domains are managed and protected.

The bad: no price caps

Some criticisms are very valid, there are no pricing protections like seen with original TLDs for starters. ccTLDs never had these either, but ICANN had the opportunity to secure these on the new domains. In the case of .com, Verisign is regulated by the US Department of Commerce who have controlled price increases over the years. Under its agreement with ICANN and the U.S. government, Verisign is allowed to increase prices by 7% per year in the last four years of every six-year contract term. .net also has a price cap set by ICANN in its registry agreement.

Those caps are becoming increasingly unique though, as news of the .org sale to a private equity firm was met with great discontent following an announcement of the removal of the .org, .biz and .info price caps in 2019.

New gTLDs have no caps either so we just have to trust in the “free” market on that one. The fact there are so many new TLDs to choose from helps with that, although there are some conglomerates formed that own many simultaneously.

If a registry does want to increase its prices, it must notify registrars 6 months in advance (so make sure you get yourself a good one who will pass that info on!); this gives you opportunity to lock-in for up to 10 years in advance at your current price. An exception to the 180 day notice period is that they can increase prices with 30 days notice but only by <= the amount it has increased in the last year.

Premium domains

There has been criticism over the use of “premium domains” by new gTLD registries, these domains are marked as desirable by the TLD owner and are sold at a higher price, either upfront at registration or consistently on renewal.

Personally, I don’t think this is terrible. Although it makes some desirable domain names out of reach for average users, if it wasn’t the registry doing it it would be scalpers as I am sure you have experienced with legacy TLDs if you have been domain shopping. At least with registry premiums the pricing is transparent.

The good: more oversight

New gTLD operators have strict operating agreements with more accountability and documented processes than their ccTLD counterparts. ICANN is far from a perfect organisation, and there are many convincing arguments against this kind of centralisation, but as far as the current system goes this is a positive in the gTLD column.

More good: the business sense

Unlike ccTLDs where rights are granted regardless, a gTLD operator must be a healthy business with a solid business plan, proven demand and technical expertise to support their suffix long in to the future. The application fee for a domain alone is $180,000 to the non-profit ICANN. Many of these new gTLD registries operate a multiple TLDs. Identity Digital is the largest new registry by TLDs owned, operating over 250 extensions including .live, .digital, .fyi and more. Even giants like Microsoft and Google are in the game, with Google Registry (distinct from recently shuttered Google Domains, a registrar) operating .app, .dev, .page and others.

Even more good: a backup plan

Putting your business in the hands of a startup registry or the project-abandoning behemoth Google may seem even worse than a foreign government, but fortunately ICANN has made sure that every new gTLD is prepared for the worst.

A large portion of the ICANN application fee is reserved in the case of registry failure, as outlined in their registry failover plan. In the case that a registry ceases trading, there are processes in place to ensure that registrants are not left high-and-dry by transitioning to an EBRO (emergency back-end registry operator). Every day, registries are required to transfer data to ICANN so a clone of their zone can be spun up at a moments notice.

The failover plan does not commit to keeping failed TLDs around forever at any cost, but it is a lengthy process with a lot of redundancy and safeguarding in place. Given the relatively low cost for an existing established registry to support an existing TLD, as long as there is sufficient demand for a given TLD, it seems that it is likely long-term support will be found.

After a decade of new gTLDs, there have been 2 retail gTLDs start this process. In 2017, .wed was the first retail gTLD moved to an EBRO and the latest I can find is in 2021 it was looking for a new home. It seems likely low usage of this domain with just over 350 at its peak and only 20 or so hanging on now has led to a lack of interest. It appears registrations for the TLD are closed but existing registrants are still supported.

Very recently, in late 2023, .desi with around 1,700 registrations was handed over to Nominet, the .uk registry and acting emergency back-end; it is currently looking for a new long-term operator.

I will be watching closely to see how that plays out and report back here! 👀