When you buy a domain name from GoDaddy or Namecheap, you’re interacting with the visible tip of a three-tier system. Behind your registrar sits a registry operator, and behind both sits ICANN — the organization that coordinates the entire namespace. Understanding this hierarchy explains why domains cost what they do, why transfers work the way they do, and why some policies feel bureaucratic.
Let’s unpack the layers.
The Three Tiers
┌─────────────────────────────────────────┐
│ ICANN │
│ (Coordination, policy, accreditation) │
└─────────────┬───────────────────────────┘
│
┌─────────────▼───────────────────────────┐
│ Registries │
│ (Verisign, PIR, Donuts, Google...) │
│ Operate TLDs, maintain zone files │
└─────────────┬───────────────────────────┘
│ EPP protocol
┌─────────────▼───────────────────────────┐
│ Registrars │
│ (GoDaddy, Namecheap, Cloudflare...) │
│ Sell domains to end users │
└─────────────┬───────────────────────────┘
│ (optional)
┌─────────────▼───────────────────────────┐
│ Resellers │
│ (Hosting companies, web builders...) │
│ White-label domain sales │
└─────────────────────────────────────────┘
Registries: The Wholesalers
A registry operator (or simply “registry”) manages a top-level domain. They maintain the authoritative database of all domains registered under that TLD, operate the TLD’s nameservers, and generate the zone file that makes those domains resolvable.
What Registries Do
- Maintain the TLD database: Every
.comdomain is in Verisign’s registry database - Generate zone files: The registry produces zone files loaded onto TLD nameservers
- Process EPP commands: Registrars communicate with registries via EPP to create, modify, delete, and transfer domains
- Set wholesale pricing: The registry determines the base cost per domain
- Enforce policies: Registration requirements, reserved names, dispute procedures
Major Registry Operators
| Operator | TLDs | Notable |
|---|---|---|
| Verisign | .com, .net, .cc, .tv |
Largest registry; ~175M domains |
| Public Interest Registry (PIR) | .org |
Nonprofit operator |
| Donuts/Identity Digital | 200+ new gTLDs | .live, .world, .email, etc. |
| Google Registry | .app, .dev, .page, .new |
All require HTTPS |
| Radix | .online, .store, .tech, .site |
Major new gTLD operator |
| CentralNic | .xyz, .website, .pw |
Operates registries and registrar services |
| Nominet | .uk |
UK ccTLD, nonprofit |
| DENIC | .de |
German ccTLD, cooperative |
The Registry Agreement
For gTLDs, each registry signs a Registry Agreement with ICANN. This contract specifies:
- Pricing caps and increases (Verisign can raise
.comprices by up to 7% annually under their current agreement) - Technical requirements (SLA uptime, DNS performance)
- Security obligations (DNSSEC support, abuse mitigation)
- Reporting requirements (monthly domain counts, transaction reports)
- Term and renewal conditions
ccTLD registries have a different relationship with ICANN — typically through a less formal exchange of letters or a ccTLD accountability framework rather than a binding contract.
Thick vs Thin Registries
Registries operate in one of two models:
Thick registry: The registry stores complete domain data — registrant contacts, nameservers, EPP status, creation/expiry dates. RDAP/WHOIS queries are answered by the registry directly. Most TLDs use this model.
Thin registry: The registry stores only the domain name, registrar, nameservers, and status. Registrant contact data is held by the registrar. WHOIS queries to the registry return minimal data and refer you to the registrar for full details.
.com and .net historically operated as thin registries but transitioned to the thick model in 2016–2018 per ICANN mandate. The thick model provides more consistent WHOIS data and simplifies transfers.
Registrars: The Retailers
A registrar is an ICANN-accredited organization authorized to sell domain registrations to the public. Registrars are the customer-facing layer — they provide the websites, APIs, and support that domain buyers interact with.
ICANN Accreditation
To become a registrar, an organization must:
- Apply to ICANN: Submit an application with business plans, technical capabilities, and financial documentation
- Pay fees: Initial accreditation fee of $3,500 + annual fee of $4,000 + per-transaction fees
- Sign the RAA: The Registrar Accreditation Agreement defines obligations
- Meet technical requirements: EPP connectivity to registries, WHOIS service, abuse handling
- Maintain insurance: Errors and omissions coverage
As of 2024, there are approximately 2,500 ICANN-accredited registrars worldwide, though many are affiliated entities or operate primarily as reseller platforms.
What Registrars Do
- Customer interface: Web portals, APIs, customer support
- Domain registration: Submit EPP commands to registries on behalf of customers
- DNS management: Many offer DNS hosting alongside registration
- WHOIS/RDAP service: For thick registries, registrars may operate their own lookup service with additional detail
- Transfer processing: Handle incoming and outgoing domain transfers
- Billing: Charge customers, collect payment, manage renewals
- Upselling: SSL certificates, hosting, email, website builders
Major Registrars
| Registrar | Domains Under Management | Known For |
|---|---|---|
| GoDaddy | ~80M | Largest registrar, aggressive marketing |
| Namecheap | ~17M | Budget-friendly, privacy-focused |
| Cloudflare Registrar | Growing rapidly | At-cost pricing, no markup |
| Google Domains → Squarespace | ~10M | Google exited, sold to Squarespace |
| Tucows/Hover | ~25M (wholesale) | Major wholesale registrar |
| Name.com | ~5M | Developer-friendly |
| Dynadot | ~4M | Investor-friendly tools |
| Porkbun | Growing | Low prices, whimsical branding |
Registrar Pricing
The domain pricing chain works like this:
ICANN fee: $0.18/domain/year (gTLD transaction fee)
Registry fee: $10.26/year (Verisign .com wholesale)
─────────────────────────────────
Minimum cost: ~$10.44/year
Registrar markup: $0 (Cloudflare) to $10+ (GoDaddy)
─────────────────────────────────
Retail price: $10.44 to $20+/year
Cloudflare Registrar is notable for charging wholesale + ICANN fees with no markup — “at cost” pricing. Most registrars make their real margin on add-ons: privacy protection (increasingly included free), SSL certificates, hosting, and email.
The Registry-Registrar Agreement (RRA)
Each registrar must sign an agreement with every registry whose TLDs they want to sell. The RRA (or RPA — Registry-Registrar Protocol Agreement) covers:
- Technical integration (EPP connectivity, testing)
- Financial terms (wholesale pricing, payment schedules)
- Operational obligations (response times, data accuracy)
- Transfer policies
This means a registrar selling domains across 500+ TLDs has 500+ separate registry agreements to maintain.
Resellers: The White-Label Layer
Resellers sell domains through a registrar’s infrastructure without being ICANN-accredited themselves. They’re common in the hosting industry:
- Web hosting companies offering domain registration alongside hosting packages
- Website builders (Wix, Squarespace) including domain registration in their service
- IT service providers managing domains for their clients
How Reselling Works
A reseller partners with an accredited registrar and uses their API or white-label platform:
- Customer searches for a domain on the reseller’s website
- Reseller’s system queries the registrar’s API
- Registration request goes: customer → reseller → registrar → registry
- The domain is registered under the registrar’s accreditation (the reseller’s name doesn’t appear in WHOIS as the registrar)
- The reseller handles billing and customer support, though some pass support through to the registrar
Reseller vs Registrar
| Aspect | Registrar | Reseller |
|---|---|---|
| ICANN accredited | Yes | No |
| Direct registry access | Yes (EPP) | No (through registrar) |
| WHOIS listing | Listed as registrar of record | Not listed |
| Investment to start | $50K+ (accreditation, infrastructure) | Minimal (API integration) |
| Pricing control | Full (set own margins) | Limited (registrar sets floor) |
EPP: The Protocol That Connects Them
The Extensible Provisioning Protocol (EPP) is the standard protocol for communication between registrars and registries. Defined in RFC 5730-5734, it’s the technical backbone of the entire registration system.
Every domain registration, renewal, transfer, and modification flows through EPP. When you click “Register” on a registrar’s website, that action ultimately becomes an EPP XML command sent to the registry:
<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
<command>
<create>
<domain:create xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
<domain:name>example.com</domain:name>
<domain:period unit="y">1</domain:period>
<domain:ns>
<domain:hostObj>ns1.example.com</domain:hostObj>
</domain:ns>
<domain:registrant>reg-12345</domain:registrant>
<domain:authInfo>
<domain:pw>secretAuth123</domain:pw>
</domain:authInfo>
</domain:create>
</create>
</command>
</epp>
We’ll dive deep into EPP in Chapter 8 of this part.
Key Takeaways
- Registries are TLD operators — they maintain the database, generate zone files, and set wholesale pricing
- Registrars are ICANN-accredited retailers — they sell domains to end users and interact with registries via EPP
- Resellers sell through registrar infrastructure without direct ICANN accreditation
- Thick registries store all domain data; thin registries store only minimal data (most TLDs are now thick)
- Registry Agreements with ICANN govern TLD operations and pricing
- EPP is the XML protocol connecting registrars to registries for all domain operations
- Domain pricing = ICANN fees + registry wholesale + registrar markup
Next, we’ll examine how you can look up who owns a domain — through WHOIS and its modern successor, RDAP.