ccTLDs are risky business

4 min read

internet domains tech

There's been a lot of chatter lately about the future of the .io ccTLD. The top-level domain was originally created as a country code top-level domain for the "British Indian Ocean Territory", but like history tells us, countries are not forever and that means ccTLDs aren't either. Should a treaty by the UK government be passed, the islands would become part of Mauritius, ending the need for the .io domain.

The rules for ccTLDs are strict, and if a country doesn't exist in the official international specification of country code short codes, the domain can't either. The only other option would be for the Internet Assigned Numbers Authority (IANA) to break its own rules, but seeing as how they say, "we are not in the business of deciding what is and what is not a country" it certainly feels like a tall ask.

But that's not stopping people from hoping for it. The latest rumor, or perhaps coping mechanism, is that IANA and ICANN could still have a change of heart about the rules and instead reclassify .io domains into a generic top-level domain as a way to preserve it. That would still be quite unprecedented considering two-letter domains have historically been reserved exclusively for ccTLDs.

If I was a .io domain owner (btw, I'm not), and I established a presence on a .io domain, I'd be looking to migrate any production systems off the .io namespace and quickly change any hard-coded references. While potential changes aren't the same as actual changes, the business risk is simply too high to ignore even if the timeline is at least 5 years. Companies like Itch.io and the numerous mobile games who made .io part of their brand however, should also start those transitions ASAP.

The issue really does go beyond just .io domains. I've come to believe that I could never feel truly secure putting my business on almost any country code Top-Level Domain (ccTLD). Let me explain why with a few eye-opening examples:

  1. The deletion of a country

    One of the oldest and most illustrative examples of the potential instability ccTLDs can face is the case of .yu, the former ccTLD for Yugoslavia. This domain was officially allocated in 1989 but much of its existence was uncertain following a bloody civil war and the breakup of Yugoslavia in the early 1990s. The domain managed to persist through various political changes but was finally deleted in 2010.

    "With the deletion of .yu, historians and researchers lost access to websites that contained important historical records. Gone are firsthand accounts of the NATO bombing and the Kosovo War; the mailing lists that scientists used to update their colleagues on the progress of the conflict; nostalgic forums and playful virtual nation experiments."

    From "Yugoslvia's Digital Twin"

  2. "Who do you think? The Libyans."

    In 2010, the popular URL shortener Bitly found itself in a precarious situation. They were using Libya's .ly ccTLD and nearly had their domain held hostage by then-dictator Muammar Gaddafi. Bitly ultimately escaped the scrutiny but Libya's domain registry didn't go as easy on others, seizing and shutting down other .ly domains that linked to content they found objectionable, including adult content and depictions of the Prophet Muhammad.

    "This is deeply concerning for everyone, but especially .ly domain owners, because it sets a precedent that all websites running on a .ly domain must comply with Libyan Islamic/Sharia Law in order to maintain their domains. This is especially concerning for anyone running a url shortener or hosting user-generated content on a .ly domain."

    From "The .ly domain space to be considered unsafe"

  3. Seized AF

    A decade after the Bitly incident, it seems this lesson still needs to be learned by protocols and platforms too. One group had a very tongue-in-cheek .af domain (Afghanistan's ccTLD), and were quite aware of the risks involved, but they still found their users homeless when their domain was seized without warning by the Taliban. This incident exposed a critical gap in ActivityPub and Mastodon: there's no way to migrate an entire instance to a new domain. While the servers and data still existed, the domain was the most crucial part of hoaw users' identities are resolved on the Fediverse. Consequently, users were forced to start over with zero followers, highlighting how even decentralized platforms can fail due to ccTLD instability.

    “We were very much aware that the .AF TLD belonged to Afghanistan and that there were potential upsets in the future,” they added. “In some strange ways, that made it more appealing —we knew that there were ways that this community experiment could end that were outside of our control, and not just due to us burning out or similar.”

    From "Taliban Shuts Down 'queer.af' Domain, Breaking Mastodon Instance"

The crux of the matter is this: neither IANA nor ICANN can control what countries do with the ccTLDs they've been assigned. While these domains might offer clever branding opportunities or seem innocuous, history has shown us time and again that they can become liabilities overnight.

For businesses and critical online services, the risks far outweigh any potential benefits. A domain name isn't just a web address, it's the foundation of your digital identity and your online home. Losing it can mean losing everything you've built: your hard-earned SEO rankings, years of accumulated backlinks, and the trust and recognition you've established with your audience.

So, no matter how tempting or trendy a ccTLD might be, I can't in good conscience recommend using them for canonical URLs, or really anything besides a redirect. When it comes to your online presence, it's far better to prioritize stability and security over cleverness or novelty. It might seem boring, but this is precisely why .COM remains king.