Post-Delegation: Running a TLD Registry

## Welcome to the Registry Business You did it. Your application was accepted, your Registry Agreement is signed, pre-delegation testing passed, and IANA has added your TLD (Top-Level Domain) to the DNS Root Zone. Your extension is now globally resolvable. Technically, you are a Registry Operator. Now the real work begins. Operating a top-level domain is a perpetual, regulated business with ongoing legal, technical, financial, and compliance obligations. This guide covers everything that happens after delegation — from launching your TLD to the long-term realities of registry sustainability. Use the TLD Comparison Tool to benchmark your launch strategy against TLDs that launched from the 2012 round. ## The Registry Agreement: Your Operating Constitution Your Registry Agreement (RA) with ICANN is a detailed contract that governs every aspect of your registry's operations. Key obligations include: ### Service Level Agreements (SLAs) - **DNS availability**: 99.9% uptime over any 30-day period for authoritative DNS resolution. - **DNSSEC signing**: Zone must be continuously signed; key rollovers must follow ICANN-defined timelines. - **RDAP/WHOIS availability**: 99.9% uptime for registration data access services. - **EPP availability**: 99.9% uptime for the registry-registrar protocol interface. Breaching SLAs — even temporarily — triggers reporting obligations to ICANN and can result in formal compliance actions. ### Financial Obligations - **Annual ICANN fixed fee**: $25,000/year, invoiced annually. - **Transaction fees**: Variable per domain registration, set by ICANN's fee schedule. - **Data escrow**: Regular deposits of registration data to an ICANN-approved escrow agent. ### Reporting Requirements - Monthly and quarterly reports on registration volumes, registrar accreditation, abuse complaints received and resolved. - Annual financial statements. - Security incident reports (within defined timeframes of discovery). - DNS abuse reports (ongoing). ## Launch Phases: Sunrise, Landrush, and General Availability ### Sunrise Period ICANN requires all new gTLDs to include a minimum 30-day Sunrise Period before general availability. During Sunrise: - Only trademark holders with marks registered in the Trademark Clearinghouse (TMCH) can register matching second-level domains. - Registrations are typically priced at a premium to compensate for the restricted eligibility period. - Rights protection mechanisms prevent cybersquatters from front-running general availability. Sunrise is both an obligation and a business opportunity: trademark holders actively seek Sunrise registrations, and a well-marketed Sunrise period can generate significant early revenue and goodwill from the Domain Registrar and brand-owner community. ### Trademark Claims Period Immediately following Sunrise (and extending for at least 90 days into general availability), a Trademark Claims period operates. During this period: - Registrants attempting to register a domain that matches a TMCH-registered mark receive a notice informing them of the conflicting trademark. - They must acknowledge the notice before completing registration. - This does not prevent registration but creates a documented record of awareness for potential dispute resolution purposes. ### Landrush (Optional) Many registries conduct a premium "Landrush" period between Sunrise and general availability, allowing any registrant to register domains but with elevated pricing and potential auction processes for highly contested names. Not all registries use Landrush — it is optional and can create negative user experiences if not managed carefully. ### General Availability General availability (GA) is when the TLD (Top-Level Domain) opens to all registrants, typically at standard pricing, on a first-come, first-served basis. GA is the moment the registry becomes a full commercial operation. ## Registrar Relations: The Revenue Engine Registries do not sell domains directly to end users. They sell to accredited registrars — companies like GoDaddy, Namecheap, Google Domains, and hundreds of others — who in turn sell to registrants. Building registrar relationships is one of the most critical activities in the first 12–18 months of operation. ### ICANN-Accredited Registrars Only ICANN-accredited registrars can sell domains in new gTLDs. There are approximately 2,500 accredited registrars globally. However, most registrants purchase from a small number of large registrars — GoDaddy, Namecheap, Tucows/OpenSRS, and a handful of others — that together account for the majority of global domain registrations. ### Registry-Registrar Agreements (RRAs) Before a Domain Registrar can offer your TLD (Top-Level Domain), they must sign a Registry-Registrar Agreement (RRA) with your registry. The RRA specifies: - Wholesale pricing (what you charge the registrar per registration) - EPP access credentials and procedures - Compliance obligations (abuse reporting, policy adherence) - Payment terms and reconciliation procedures ### Wholesale Pricing Strategy Your wholesale price determines your revenue per registration after back-end operator costs. Typical new TLD wholesale prices range from $5 to $30 per domain per year (registrars add their margin on top, typically 20–50%). Setting price too high discourages registrar promotion; setting it too low may not cover costs. Premium domain programs — where specific short, category-relevant, or dictionary-word registrations in your TLD (Top-Level Domain) are priced at $100–$10,000+ per year — are a critical revenue driver for new registries. See more about Premium Domain (Registry Premium) strategies in the domain investing series. ### Registrar Incentive Programs Major registrars have hundreds of TLDs to offer. To prioritise your TLD, registries offer: - Reduced wholesale prices for promotional periods - Co-marketing funds for registrar-promoted campaigns - Volume commitments with pricing discounts - Dedicated account management Building these relationships requires in-person engagement at domain industry conferences (NamesCon, ICANN meetings, GoDaddy partner events). ## EBERO: Your Safety Net and Obligation The Emergency Back-End Registry Operator (EBERO) is one of ICANN's most important ongoing requirements. Every Registry Operator must maintain a current EBERO designation — an agreement with an ICANN-approved entity that can assume control of registry operations if the primary operator fails. EBERO situations arise when: - The registry operator becomes insolvent - The registry operator abandons operations - The registry agreement is terminated by ICANN for cause - A natural disaster, cyberattack, or other emergency renders the primary operator unable to function Your EBERO designation must be: - With an ICANN-approved EBERO provider - Current (renewing annually or on a defined schedule) - Tested (ICANN requires periodic testing of EBERO transition procedures) EBERO providers include major back-end registry operators (CentralNic, Identity Digital, GoDaddy Registry) that offer EBERO services for other registries they don't primarily operate. ## DNS Abuse Management: A Growing Obligation ICANN's contractual requirements for abuse management have increased significantly since 2012, and the 2026 registry agreements will contain even more specific abuse management obligations. ### What Counts as DNS Abuse? - **Phishing**: Domains used to deceive users into providing credentials or financial information. - **Malware distribution**: Domains hosting or distributing malicious software. - **Botnet command and control**: Domains directing botnet traffic. - **Spam**: Domains used primarily to send unsolicited commercial email. - **Child sexual abuse material (CSAM)**: Domains hosting CSAM — ICANN requires zero tolerance and immediate suspension. ### Abuse Mitigation Infrastructure Required - An abuse report intake process (email and/or web form). - Documented response time commitments (ICANN requires response to valid abuse reports within defined timeframes). - Access to reputable abuse intelligence feeds (Spamhaus, SURBL, PhishTank equivalents). - Suspension authority for domains used in confirmed abuse — registries must be able to suspend second-level domains in their TLD to address abuse. - Regular reporting to ICANN on abuse complaints received, investigated, and acted upon. The DNS Abuse Institute (DNSAI) — a collaborative project of several major registries and registrars — provides shared abuse intelligence and best practices. New registries are encouraged to join as members. ## DNSSEC Key Management: Ongoing Operations DNSSEC is not a one-time setup — it requires continuous operational attention: - **Zone Signing Key (ZSK) rollover**: Typically every 30–90 days. This is largely automated in modern registry systems. - **Key Signing Key (KSK) rollover**: Annually at minimum. Requires coordination with IANA to update the DS record in the DNS Root Zone. - **KSK Ceremony**: A formal, documented process for generating, using, and storing KSKs. Must be conducted in a physically secure environment with Hardware Security Module (HSM) protection. - **Emergency key rollover procedures**: Documented and tested procedures for emergency KSK replacement in the event of compromise. ## Long-Term Sustainability The 2012 round produced a bimodal distribution of outcomes: - **Successful registries**: Achieved registration volumes that covered operating costs and generated profit. These typically focused on a specific, well-defined market segment with genuine demand. - **Struggling registries**: Achieved low registration volumes, burned through capital, and either sold the registry or entered EBERO. Factors that predicted success: - **Clear target audience**: TLDs with a specific, reachable audience (developers for .dev, businesses for .shop) outperformed vague, generic strings. - **Registrar promotion**: Registries that invested in registrar incentive programs achieved much higher distribution. - **Pricing discipline**: Competitive wholesale pricing that encouraged registrar promotion while maintaining margin. - **Brand owner engagement**: TLDs that successfully enrolled brand owners in Sunrise and defensive registration programs established credibility with both registrars and end users. ### The Brand TLD Model For closed brand TLDs not selling registrations, sustainability is measured differently: the TLD must provide sufficient strategic value to the brand owner to justify ongoing costs of $300,000–$600,000/year. See Should Your Company Apply for a Brand TLD? for this analysis. ## Your Registry Agreement Renewal ICANN registry agreements are not perpetual — they are term agreements, typically for 10 years, with renewal rights subject to compliance. Registries that maintain good standing with ICANN (meeting SLAs, paying fees, resolving compliance issues promptly) have the right to renew. Those that fail may face non-renewal or termination. Maintaining good standing requires: - Proactive, timely communication with ICANN's compliance team - Prompt resolution of any compliance notices - Annual compliance self-assessments - Active participation in ICANN policy processes that affect the Registry Operator community ## Final Word: A Registry Is a Public Trust Operating a TLD (Top-Level Domain) is not like operating a website or a software product. A Registry Operator provides infrastructure that registrants — real people and businesses — rely on for their internet identity. Failures in registry operations affect real livelihoods. The most successful registry operators in the post-2012 ecosystem have consistently treated their registries as long-term public infrastructure businesses, not short-term investment plays. For the 2026 round, this ethos — combined with the operational excellence outlined in this guide — is the foundation of sustainable registry operation. For the full journey from application to delegation and beyond, start with ICANN New gTLD Program 2026: Complete Overview and follow this series through all twelve guides.