ch4: politics of the namespace
date: May 14 2026
1. The edges of the cooperative model
Chapter 3 painted a tidy picture. ICANN coordinates. IANA implements. Registries operate. Registrars sell. Everyone has a clear role, and the multistakeholder model accommodates everyone. That picture is true on a calm Tuesday.
It frays at the political edges, in three directions. Countries change: ccTLDs are delegated to countries, and when a country dissolves, changes regime, or loses its territory, the question of who controls the TLD becomes uncomfortable. Governments coerce: most major TLDs are operated by companies in specific countries, subject to specific legal systems, and a court order can change what a name points to within hours. States interfere downstream: even when a state can’t touch a TLD, it can intercept DNS queries inside its own borders, and many do.
The chapter walks through each direction with named examples. It closes with the question that follows from all of this: if the cooperative system is so politically constrained, why hasn’t anyone built a competing one?
2. ccTLDs and country sovereignty
Every two-letter TLD is a country code. The source of truth is ISO 3166-1 alpha-2, maintained by the International Organization for Standardization. IANA’s rule, dating to RFC 1591 (1994), is simple: codes in ISO 3166 get a TLD; codes that leave the list should eventually retire.
In practice, IANA almost never retires anything. Sunsets are slow, exceptions are common, and the political price of enforcement is higher than the price of accommodation. Five cases worth knowing.
.su: a TLD that outlived its country
The Soviet Union dissolved in December 1991. ISO removed SU from 3166 in 1992. IANA’s policy says retired codes should be deprecated within about five years. But .su has been continuously operational since 1990, and as of 2026 still hosts well over 100,000 active domains. Russia treats it as part of its national namespace and renews the operator’s contract every cycle. ICANN has never enforced the sunset. Reasonable people disagree on whether that’s pragmatic accommodation or quiet policy failure.
.af: what happens when a regime changes
The .af registry was operated by an Afghan government ministry. When the Taliban took Kabul in August 2021, the operator’s staff fled the country. The nameservers kept running on automation for several weeks. New operators eventually took over the day-to-day work. The political question (is the Taliban now the legitimate authority for .af?) was answered the way IANA usually answers such questions: by deferring it. Service continued. The line of operational continuity was preserved.
.io: the live case
.io is the country code for the British Indian Ocean Territory, a chain of islands in the Indian Ocean. In 2024, the UK and Mauritius signed an agreement transferring the Chagos Islands (the territory in question) to Mauritius. If “IO” leaves the ISO list as a consequence, .io theoretically must sunset, taking with it roughly a million startup and tech-company domains, including a substantial fraction of the namespace developers use without thinking. As of 2026 the situation is unresolved. Most observers expect some form of grandfathering carve-out. There is no formal mechanism for one yet. The case is a live test of whether ICANN’s rules can survive contact with a politically inconvenient outcome.
.tk: the free TLD that became a spam vector
Tokelau is a Pacific island territory of New Zealand with about 1,500 inhabitants. Its TLD was licensed in 2000 to a private operator, Freenom, who gave names away for free and monetized through parked-page ads on expired or abused names. For years, .tk was the largest TLD by domain count after .com. Most of the volume was spam, phishing, and scam infrastructure. ICANN finally suspended Freenom’s accreditation in 2023. New .tk registrations are largely frozen. Existing domains still resolve. The TLD persists because the technical fact of millions of names pointing at addresses can’t be undone politically without serious collateral damage.
.ly, .ru, .sy, and friends
ccTLDs operated by entities in countries that are sometimes uncooperative with Western internet governance. .ly (Libya) was the home of URL shorteners like bit.ly; when the Libyan government enforced morality rules on .ly registrations in 2010, those services scrambled to relocate. .ru continues to operate normally despite Western sanctions on Russia, because the registry operator is Russian and not subject to Western law. Every ccTLD comes with its host country’s politics. There is no neutral option.
3. Seizure
A TLD is a database run by a company in a country. Whatever country that company is incorporated in has the legal handle. Most of the names people have heard of sit in the US:
| TLD | Operator | Jurisdiction |
|---|---|---|
| .com, .net | Verisign | Virginia, US |
| .org | Public Interest Registry (PIR) | Reston, Virginia, US |
| .info, .pro, many new gTLDs | Identity Digital (formerly Donuts) | Washington state, US |
| .io (administrative side) | Identity Digital | Washington state, US |
| .uk | Nominet | Oxford, UK |
| .de | DENIC | Frankfurt, Germany |
| .ru | Coordination Center for TLD RU | Moscow, Russia |
| .cn | CNNIC | Beijing, China |
The TLDs in US jurisdiction can be reached by US courts. The most visible example is ICE’s “Operation In Our Sites” program, which has seized hundreds of .com and .net domains since 2010, mostly for alleged counterfeit goods, gambling, or copyright infringement. The mechanics are straightforward: a US law-enforcement agency obtains a court order naming a domain; the order is served on the registry (most commonly Verisign); the registry updates the NS records in the TLD zone, pointing them at a government-controlled nameserver; the government nameserver serves a “this domain has been seized” notice. The change propagates as TLD-level caches expire. Effective in minutes to a few hours.
The owner has no opportunity to argue before the seizure. They can challenge in court afterward, but the domain is offline in the meantime. For a business that depends on the domain, the operational damage is done before the legal process starts. There is no international court for TLD seizures, no DNS Geneva Convention. Each TLD’s host country is the appeals process. ICANN explicitly disclaims any role in adjudicating these orders.
4. State-level censorship at the resolver
Seizure is heavy machinery: a court order, a registry, a TLD change, a clear paper trail. State-level censorship is the other category. It works at the resolver layer, against users inside the state’s borders, and doesn’t need any cooperation from the registry. The mechanism is the same everywhere with local variations: the state maintains a list of blocked names; ISPs are required to enforce it; the ISP’s resolver returns false answers, usually pointing at a dead address or a state-controlled “this site has been blocked” page. Some states go further and inject forged DNS responses at the network layer, intercepting queries even when they’re addressed to a foreign resolver.
China: the Great Firewall
This part could be its own chapter. The Great Firewall does several things; DNS poisoning is one of the oldest. An in-path device watches all DNS traffic crossing China’s borders. When it sees a query for a blocked name (Facebook, Twitter, YouTube, large parts of the BBC, increasing chunks of Western news) it races a forged response back to the user before the legitimate one arrives. The forged response points at a Chinese-controlled IP or a useless value (a famous one is 159.106.121.75, clearly bogus, used so research groups can detect the poisoning).
The poisoning happens at the network layer, not the resolver. Users on 8.8.8.8 or 1.1.1.1 from inside China still get poisoned responses, because the forgery happens between them and the foreign resolver. The only escape is to encrypt the query end to end. This is the main driver of DoH and DoT adoption as circumvention tools.
Russia: Roskomnadzor and TSPU
Roskomnadzor maintains the Russian blocklist. ISPs are required to enforce it. For years the enforcement was uneven and easy to bypass. In 2018 the government deployed TSPU (“Technical Means of Counteraction to Threats”), a network of deep-packet-inspection boxes installed at ISP peering points. After the Ukraine invasion in 2022, TSPU was rolled out widely and given much broader authority. It handles DNS interception, HTTP filtering, and protocol identification.
Russia has also been moving toward “sovereign internet” capabilities: the ability to disconnect Russian internet from the rest of the world while keeping internal services running. The 2019 “Sovereign Internet Law” required ISPs to install state-controlled DNS infrastructure that could be activated in such a scenario. Limited regional exercises were tested in 2024 and 2025.
Turkey: the country that taught its citizens 8.8.8.8
Turkey has blocked Twitter, Wikipedia, YouTube, and various opposition news sites repeatedly since around 2014. The blocks usually trigger a public spike in knowledge about how to switch to a foreign resolver. After one round in March 2014, the address “8.8.8.8” was spray-painted on walls in Istanbul as a public service.
[image placeholder] Photo: “8.8.8.8” spray-painted on a wall in Istanbul, March 2014 (during the Twitter block). Source: https://pbs.twimg.com/media/BjPowo4CQAAF1PZ.jpg
Turkey eventually responded by also blocking access to the foreign resolver IPs. The arms race continues.
UK and many EU countries
The UK Internet Watch Foundation maintains a list (originally focused on child sexual abuse material, expanded over time). UK ISPs voluntarily block the list at the DNS layer. The list is opaque; users can’t see what’s on it.
Several EU countries do court-ordered DNS blocking for copyright infringement (Italy’s AGCOM blocklist, Spain), illegal gambling, and similar categories. Mostly enforced through ISP resolvers rather than nationwide interception.
The escalation pattern
State censorship and user circumvention escalate together. The typical chain:
- State orders ISPs to block a name at the resolver.
- Users switch to a foreign resolver (8.8.8.8, 1.1.1.1).
- State blocks access to the foreign resolver’s IP, or intercepts queries at the network layer.
- Users switch to encrypted DNS (DoT, DoH, DoQ) that the state can’t read.
- State blocks the encrypted resolver’s IP, or requires ISPs to MITM TLS connections.
- Users switch to VPNs.
- State blocks VPN provider IPs and protocols.
- Users switch to Tor or to obfuscation-based tools (Shadowsocks, V2Ray, Trojan).
Each rung costs the state more (technically, politically, in collateral damage to legitimate use) than the previous one. Each rung costs the user more (latency, money, ease of use). The system stabilizes wherever the marginal costs match.
[demo placeholder] GFW response-comparison panel: pulls live OONI / RIPE Atlas measurements to show what a Chinese resolver returns vs 1.1.1.1 for known-blocked names.
5. Alternative roots and why they don’t stick
If the cooperative system is constrained, why hasn’t anyone built a competing one? People have. None have stuck. Worth looking at why.
OpenNIC
Volunteer-run alternative root operating since 2000. Offers TLDs that don’t exist in ICANN’s root (.geek, .free, .bbs) plus mirrors of ICANN’s TLDs. Tiny user base; effectively a hobby project.
Namecoin
Bitcoin fork (2011), one of the earliest blockchain-based naming systems. Registers .bit names on a public ledger. Survives but never grew. Browser support requires plugins; few websites use it.
Handshake
2018 blockchain project, raised significant funding, did large token airdrops. Auctions TLDs on-chain: anyone with enough tokens can own .brand. As of 2026, almost no software resolves Handshake names without a custom resolver.
ENS (Ethereum Name Service)
Probably the most successful alternative naming system by usage. Names like vitalik.eth resolve through Ethereum smart contracts. Widely used inside the crypto community for wallet addresses, NFT identities, on-chain handles. Less widely used for web browsing; most browsers need a plugin or a gateway resolver (eth.limo). ENS has been pragmatic about coexistence with DNS, focusing on wallet identity rather than trying to replace TLDs.
Why none of these displace DNS
The technical objections are minor. You can run any of them today and they basically work. The reason they don’t displace DNS is sociological. A name only works if everyone agrees what it points to. DNS’s value is being the Schelling point that every browser, every CDN, every TLS certificate authority, every spam filter, every search index already trusts. Displacing it requires coordinating millions of operators onto a new consensus. That coordination is impossible without either a 10× technical improvement (none of these offers it) or a political shock that breaks the existing consensus (hasn’t happened either).
State-level forks surface as proposals every few years. China’s “alternative root” has been floated since the early 2000s. Russia, which has the technical infrastructure to do this and has tested isolation drills, has not actually forked the root. The reason isn’t lack of capability. It’s that an alternative root would isolate the forking country’s users from the rest of the internet far more than the current censorship layer does. The cost is currently judged too high.
If a state-level fork ever does succeed, it will look a lot like the Great Firewall’s current behavior, but more so: not just blocking specific names, but redirecting entire TLDs through state-controlled infrastructure. We’re not there yet.
Next: ch5: scaling to the whole internet
Further reading
- Mueller (2010), Networks and States: The Global Politics of Internet Governance. The canonical history.
- RFC 1591 (1994). The original IANA policy on country-code delegation. Still the policy baseline.
- IANA Root Zone Database. Every ccTLD with its sponsor and contact.
- ICANN ccTLD retirement procedure. Worth reading to see how cautious the formal process is.
- Operation In Our Sites coverage at Ars Technica and EFF. Public documentation of US seizure mechanics.
- GFW Report (formerly Citizen Lab projects). Technical breakdowns of how China-side DNS poisoning works.
- OONI (Open Observatory of Network Interference). Public measurements of censorship across countries.