TLD Validator

TLD validation: ICANN, IANA and the structure of the root zone

A TLD (Top-Level Domain) is the rightmost label of a domain name — the segment after the final dot in example.com (com) or nic.br (br). Validating a TLD means checking it against the authoritative IANA root zone database, which lists every delegated top-level domain on the public Internet. ICANN (Internet Corporation for Assigned Names and Numbers) governs the root zone policy; IANA (Internet Assigned Numbers Authority) maintains the operational list at iana.org/domains/root/db. Anything outside that list (.zzz, .invalid, .local) is not routable on the public DNS — even if your operating system resolves it inside a LAN.

Why bother validating? Form fields that accept arbitrary suffixes leak invalid registrations into your database, send mail to non-existent MX records, and break SSL issuance (Let's Encrypt requires a publicly delegated zone). A validator backed by the IANA list (or by the Public Suffix List) protects you from typos like example.co meant as example.com, and from purely fictional TLDs that look real but aren't.

Categories: gTLD, ccTLD, sTLD, new gTLD, brand TLD and IDN ccTLD

• gTLD (generic): .com, .net, .org, .info, .biz, .name. The original generic suffixes from the 1980s, plus .info/.biz added in 2001.
• ccTLD (country code): .br Brazil, .pt Portugal, .us USA, .uk United Kingdom, .de Germany, .jp Japan, .fr France. Two letters, derived from ISO 3166-1 alpha-2.
• sTLD (sponsored): .gov, .edu, .mil, .int, .museum, .aero, .coop. Restricted to a defined community with eligibility rules.
• New gTLD (2014+): .app, .blog, .shop, .pizza, .ninja, .dev, .tech. ICANN's expanded program added over 1,200 new suffixes.
• Brand TLD: .google, .apple, .microsoft, .bmw. Operated by a single brand under its own dotBrand policy.
• IDN ccTLD: .中国 (China), .рф (Russia), .السعودية (Saudi Arabia). Non-ASCII ccTLDs encoded as punycode in DNS (xn--fiqs8s, xn--p1ai).

NIC.br and the second-level structure of .br

NIC.br (Núcleo de Informação e Coordenação do Ponto BR) operates the .br ccTLD through registro.br. Unlike .com, .br uses second-level categories rather than flat names: .com.br (commercial), .org.br (non-profit), .gov.br (federal/state government, restricted), .edu.br (higher education, restricted to MEC-registered institutions), .blog.br, .arq.br (architects), .adv.br (lawyers), .med.br (doctors). Since 2010, the open second level .br (no category) is also available for registration by Brazilian individuals and legal entities. Some categories require professional credentials (CRM number for .med.br, OAB number for .adv.br) verified at registration.

Public Suffix List vs IANA root zone

The IANA root zone lists only true top-level delegations (com, br, app). The Public Suffix List (PSL), maintained by Mozilla, goes further: it includes private suffixes under which third parties register names, such as co.uk, com.br, github.io, blogspot.com and herokuapp.com. For tasks like cookie scoping or "what is the registrable name", you want the PSL. For pure DNS root validation, the IANA list is enough.

const psl = require('psl')
psl.get('user.github.io')   // 'github.io' (private suffix)
psl.get('shop.example.com') // 'example.com' (registrable)
psl.parse('a.b.co.uk')      // { tld: 'co.uk', sld: 'b', subdomain: 'a' }

Pricing, security trends and HTTPS-only TLDs

TLD wholesale pricing varies wildly: from $7-15/year (.com, .org) to $50-150/year for premium new gTLDs (.dev, .io), and over $1,000/year for ultra-premium (.tv single-letter names). Some TLDs are HTTPS-only by policy: .dev, .app and .page are operated by Google Registry and preloaded into the HSTS list, so browsers refuse to connect over plain HTTP. Vanity TLDs (.ninja, .pizza, .coffee, .party) often run promotional first-year pricing followed by steep renewal — read the renewal terms before registering. As of 2024, .com still anchors roughly 50% of the public web by zone-file size, with .net and country codes filling out most of the rest.

Reserved TLDs (RFC 2606) and test environments

RFC 2606 reserves four TLDs that are guaranteed never to be delegated: .test, .example, .invalid, .localhost. Use them in tests, documentation and example code without risk of collision. RFC 6761 later added .local (for multicast DNS / Bonjour), .onion (Tor hidden services) and a handful of others. A good validator should accept these for development workflows but flag them as "not publicly routable".

FAQ

Where is the canonical TLD list? iana.org/domains/root/db in HTML, and data.iana.org/TLD/tlds-alpha-by-domain.txt as plain text. The plain-text version is updated daily and is what most validators cache.

Are new TLDs still being created? Yes. ICANN's next-round application window for new gTLDs is scheduled to reopen, allowing new community and brand applications. The first round (2012-2014) created the bulk of today's new gTLDs.

What is the difference between .br and .com.br? .com.br has been around since 1989 and was the only option for businesses until 2010, when NIC.br opened the bare .br second level for direct registration. Both are valid; .br is shorter and increasingly used by tech brands.

Can a TLD contain digits or hyphens? The DNS protocol allows digits in labels generally, but ICANN policy for the root zone forbids all-numeric TLDs and TLDs starting/ending with a hyphen. Punycode-encoded IDN TLDs always begin with the literal prefix xn--.

Does this tool reject .invalid? Yes — .invalid is explicitly reserved by RFC 2606 and never delegated. The validator flags it as reserved/non-routable rather than syntactically broken.