A Handshake TLD is a top-level domain whose ownership lives on the Handshake (HNS) blockchain instead of in the ICANN root zone. Handshake is a decentralized, permissionless naming protocol: it replaces the single central root authority with a proof-of-work chain that nobody controls and anyone can use. You buy a name through on-chain auctions, and you own it via cryptographic keys — but it will not resolve in a normal browser without special software.
The ordinary domain system has one root, coordinated by IANA on behalf of ICANN, and every TLD is delegated to a registry under contract. Handshake asks a radical question: what if there were no central root authority at all, and the list of top-level names lived on a public blockchain that anyone could read and extend? That single design choice is what makes a Handshake name different from a conventional TLD — and why it comes with real caveats.
How does Handshake actually work?
Handshake is a proof-of-work blockchain dedicated to one job: maintaining the root zone. Instead of a central organization deciding which TLDs exist and who runs them, that information is recorded on-chain. Nobody owns the network, and participation is permissionless — you do not need anyone’s approval to acquire or operate a top-level name.
Crucially, Handshake only decentralizes the top level. Once a resolver knows who owns a Handshake TLD, the records below it can still be served by ordinary DNS infrastructure. In other words, Handshake behaves as an alternative root that can integrate with classic DNS underneath, rather than as a wholly separate internet.
A decentralized, permissionless naming protocol that records the root zone on a proof-of-work blockchain. Top-level names are owned via on-chain cryptographic keys instead of being delegated by a central registry, making ownership censorship-resistant.
How do you get a Handshake name?
You acquire a Handshake top-level name through on-chain auctions, held roughly every two weeks, paid in the network’s native HNS coin. The auction format is a Vickrey auction — sealed-bid and second-price — which means each bidder submits a hidden bid, the highest bidder wins, but they only pay the amount of the second-highest bid. The goal of that design is to encourage honest bidding rather than last-second sniping.
Once you win, the name is yours on the blockchain, controlled entirely by your keys. There is no central registry or registrar in the loop, which is the whole point: ownership is cryptographic and censorship-resistant. The flip side is that there is also no help desk — lose your keys and there is no support line to recover the name.
Handshake names do not resolve in a normal browser
This is the most important caveat. Mainstream browsers and operating-system resolvers only follow the ICANN root, so they cannot see Handshake names by default. To reach one you need a Handshake-aware resolver (such as hnsd), a public HNS resolver service, or a browser extension. Without that setup, the name simply fails to load for the general public — treat Handshake as experimental, sovereign naming, not a public web address.
How is it different from ICANN DNS?
The cleanest way to understand Handshake is side by side with the system it reimagines. The two share the idea of a root zone and TLDs, but disagree about who, if anyone, should be in charge of it.
| Aspect | ICANN DNS | Handshake (HNS) |
|---|---|---|
| Root authority | Central root zone via IANA/ICANN | Proof-of-work blockchain; no central authority |
| Getting a TLD | ICANN application rounds, registry contract | Permissionless on-chain Vickrey auction (~every 2 weeks) |
| Ownership | Contract with the registry / registrar record | Cryptographic keys on-chain |
| Resolves by default? | Yes, in every browser and OS | No — needs an HNS resolver or extension |
| Below the TLD | Standard DNS hierarchy | Can hand off to standard DNS |
Handshake is also deliberately built to avoid breaking the existing internet. It reserves the existing ICANN TLDs and the most popular existing names, so its auctions cannot sell something like .com out from under Verisign. As a result, Handshake mostly distributes brand-new top-level names rather than colliding with the names already in the ICANN root — one reason it can coexist with, rather than replace, the system that decides who controls TLDs today.
Who is Handshake actually for?
Handshake appeals to people who specifically want self-owned, censorship-resistant naming and are willing to accept that visitors must install a resolver to reach them. For a normal public site that needs to be reachable by everyone, a conventional registrar-issued TLD remains the practical choice. The two are not mutually exclusive — many owners hold a Handshake name as an experiment alongside a regular domain.
★ Key takeaways
- Handshake puts the root zone on a proof-of-work blockchain, replacing ICANN’s central authority — permissionless and owner-controlled.
- You buy a name through on-chain Vickrey (sealed-bid, second-price) auctions held roughly every two weeks, paid in HNS coin.
- Handshake does not resolve in default browsers; you need
hnsd, a public HNS resolver, or an extension. - It reserves existing ICANN TLDs and top names, so it mainly distributes new top-level names — treat it as experimental, not a
.comreplacement.
Frequently asked questions
What is a Handshake TLD?
A Handshake TLD is a top-level domain whose ownership lives on the Handshake (HNS) blockchain instead of in the ICANN root zone. Handshake is a decentralized, permissionless protocol that moves the root authority from a central organization to a proof-of-work chain, so anyone can own and operate a top-level name without a central registry or registrar.
How do you buy a Handshake domain?
Handshake top-level names are acquired through on-chain auctions held roughly every two weeks. The auctions use a Vickrey (sealed-bid, second-price) model, paid in the network’s HNS coin: the highest bidder wins but pays the second-highest bid. Once won, the name is controlled by cryptographic keys on the blockchain, with no central registrar in the loop.
Do Handshake domains work in a normal browser?
Not by default. Mainstream browsers and operating-system resolvers only follow the ICANN root, so they cannot see Handshake names out of the box. To resolve them you need a Handshake-aware resolver such as hnsd, a public HNS resolver, or a browser extension. Without that setup, a Handshake name will simply fail to load for the general public.
How is Handshake different from ICANN DNS?
ICANN coordinates a single, centrally managed root zone through IANA, and TLDs are delegated to registries under contract. Handshake replaces that central root with a proof-of-work blockchain that nobody controls and anyone can use. Below the top level, Handshake can still hand off to ordinary DNS, so it behaves as an alternative root rather than a completely separate internet.
Does Handshake clash with existing TLDs like .com?
It is designed not to. Handshake reserves the existing ICANN TLDs and the most popular existing names so that auctions cannot sell something like .com out from under its established registry. In practice Handshake mainly distributes brand-new top-level names rather than colliding with the names already in the ICANN root.
Should I use a Handshake name instead of a .com?
For a normal public website, no. Handshake has limited adoption and is not reachable by visitors who have not installed a resolver or extension, so it should be treated as experimental or sovereign naming rather than a drop-in replacement for a conventional TLD. It is most interesting to people who specifically want censorship-resistant, self-owned naming and accept the reachability trade-off.