About Handshake

Handshake decentralizes the root DNS zone and improves security of the internet


Handshake is a naming protocol that’s backwards compatible with the existing DNS system. It does not replace the DNS protocol, but instead expands the root zone file where TLD ownership information is stored and the root servers with a distributed and decentralized blockchain-based system, which nobody controls and anybody can use. This allows the root zone to be uncensorable, permissionless, and free of gatekeepers like ICANN.

Every peer in the Handshake network cryptographically validates and manages the root zone, which also removes the need for the Certificate Authority system (CAs) entirely. Names are logged on the Handshake blockchain, which is essentially one big distributed zone file that anyone has the right to add an entry in.

True name ownership

In the existing Internet infrastructure, nobody actually owns their name. Namespaces are controlled by centralized organizations such as ICANN, Verisign, Facebook, Twitter, and Google, who can delete and take away your domain, name, account, and/or identity at will.

Current domain registrars have built their businesses on leasing models, charging website owners an annual recurring leasing fee to rent a subdomain from the registrar's top-level domains. These fees are subject to price hikes and recently ICANN was in the spotlight for approving a deal that would have removed price caps from protected TLDs like .org. Furthermore, if a website is accidentally determined to be harmful, internet service providers can block it, and domain registrars can seize the domain.

Complete control

Handshake name owners have complete control over their data and can use their TLDs for anything — from simply hosting a website to becoming a registrar that sells subdomains to others. Only name owners can update or transfer their names, so as long as name owners control their private keys, and because the DNS records are on the decentralized Handshake blockchain, their names cannot be seized or tampered with. And because governance on Handshake is truly decentralized, no one person or entity can make a governance decision that would impact domain owners or the network the same way the ICANN deal could for .org domain owners.

Renewal fees

Handshake domain names provide true ownership, which means there are no yearly rental fees you pay to a leaser. Handshake TLD owners do need to submit a biennial "heartbeat transaction" (only the mining fee) to prove they still have access to their name, otherwise the name will go back into the "auction-able names" pile. However, if you use Namebase then you don't need to worry about submitting these transactions because our system does this automatically for you.

Endless top-level domains

At the root of the DNS hierarchy is a file called the root zone where top-level domain ownership info is recorded. This root zone is managed by ICANN, who determines what top-level domains are allowed. In other words, the entire traditional domain name system is controlled at the root by a single entity, ICANN. ICANN charges an $185,000 evaluation fee for new TLD applications, which may or may not get approved, artificially restricting the availability of domains for website owners and developers.


Handshake names are TLDs that anyone can register, not just ICANN. These are distributed through public decentralized Handshake name auctions anyone can participate in, and the market and auction demand determines the price of any given TLD, not Namebase, Handshake, or ICANN.

Any name

Handshake names can be quite literally anything, from English letters and decimal numbers to Chinese characters and even emojis! They can be used like a traditional TLD (my.home/, my.家/, my.🏡/) or simply by themselves as a standalone name (home/, 家/, 🏡/).

Existing domains

All of the ~1,500 TLDs that already exist in the ICANN root zone (e.g. .com, .org, .io) are reserved for backwards-compatibility, and can be claimed by the owners of those names. This means that you can experience Handshake domains without disrupting usual access to traditional domains like .com. Additionally, the top 100,000 most visited websites as determined by Alexa are also reserved for their owners (e.g. owner of Bitcoin.com gets the name “bitcoin/” on Handshake, and Google gets “google/”). You can see the full list of already claimed names on DNS.LIVE.

If you own an Alexa top 100k website, you can use these instructions to claim your name.

Unstoppable and private

Even though DNS is infrastructure that the entire world relies on, only a few organizations at the top of the hierarchy control it. The centralized nature of internet names makes it trivial for governments and institutions to censor websites and content through DNS filtering and redirection by not allowing the recursive server to find the intended domain names. Turkish citizens were banned from wikipedia for almost 4 years and are still blocked from the encrypted email provider ProtonMail. Iran recently censored Facebook and Twitter before shutting off their Internet entirely, and the services blocked in China are legion, including Facebook, Twitter, and Google.

The current centralized nature of internet names also results in a loss of privacy. Even if your domain registrar offers WHOIS protections, your ownership information is stored in centralized databases which can still be subpoenaed from a domain registrar. This makes it difficult for people to create politically sensitive websites without compromising their safety. Malicious actors spy on and tamper with your browsing activity, and DNS providers, including ISPs, collect and sell that web browsing history. As a workaround, people resort to VPNs and centralized resolvers like Cloudflare’s which can be shut down at any time (and still require trusting the resolvers themselves).


Handshake ensures DNS records can only be modified by the name's owner, which prevents Handshake domains from being censored or maliciously redirected. Handshake DNS data is distributed across all the nodes in its blockchain network instead of a single centralized server. As long as you can connect to any node in the distributed network, you'll be able to resolve Handshake names, making Handshake names near-impossible to censor.

Privacy preserving

Registering a Handshake domain respects the privacy of the owner by requiring no personal data during registration. Ownership of names are determined by public-key cryptography, so it’s easy to verify name owners by having them sign a message with their private key. Since privacy is a core feature of Handshake names, Namebase does not charge a yearly fee to keep ownership details private. There is no recurring annual fee or any other related fees to keep your information away from the solicitors, and there is no WHOIS lookup or any other public database where ownership or contact information is exposed.

It is possible to register Handshake names on Namebase completely privately without revealing any information.

A more secure internet

Browsers trust certificate authorities to prove that websites are who they say they are. However, certificate authorities have sometimes compromised the security of SSL by issuing bad certificates or cooperating with governments to spy on and censor traffic. Insecure websites put everyone at risk. Vint Cerf, the “Father of the Internet,” expands on this in his article about self-authenticating identifiers.

Your browser encrypts traffic to websites using TLS (Transport Security Layer), which relies on public key cryptography. Public key cryptography is a method of asymmetric encryption using a pair of keys: a public key and a private key pair (as opposed to symmetric encryption with only one key). The public key is shared publicly and is used to verify signatures. The private key is used to decrypt messages encrypted by the public key. The private key is never shared.

When the browser makes an HTTPS request to Google, it initiates a TLS Handshake with Google and receives Google's public key. The browser then uses Google’s public key to verify that the rest of the messages in the TLS Handshake are initiated by Google, because only Google has the private key for its public key. This way, even if intermediate networks spy on the request, they won't be able to decrypt the contents of it. If an intermediary routes the request to another server pretending to be Google, the browser will know because that server won't be able to respond to the request.

How do you know that Google's public key is actually Google's public key? When you make that first request to Google, an intermediate network may have intercepted your request and returned a fake public key for Google. Certificate authorities (CAs) attempt to solve this problem. CAs are trusted third parties that verify the authenticity of public keys for websites. Your operating system ships with a list of vetted CAs by default, and when a website wants to support HTTPS requests, they register their public key with the vetted CAs. You verify that the public key you receive from Google is truly Google's public key by checking it with your CAs.

There are hundreds of CAs installed on your computer by default — Microsoft Windows comes with 390 certificates, and Mac OS X comes with 170 certificates — all of whom you must trust in order to browse the web "securely", and even more intermediaries that they delegate trust to. If even a single one of these entities acts maliciously or gets hacked, then all of your HTTPS internet browsing traffic is compromised and vulnerable to MITM attacks. In the DigiNotar attack, the Iranian government hacked a Dutch CA and used it to MITM 300,000 Iranian citizens.

Replacing CAs

Handshake names are their own root of trust and have their TLS keys pinned to them. Rather than relying on an arbitrary centralized list of hundreds of certificate authorities to verify public key authenticity, Handshake makes it possible for anyone to verify key authenticity by shifting the root of trust to a cryptographically-backed distributed root of trust — its blockchain. Instead of a single bad certificate authority compromising your security, the entire Handshake blockchain would need to be compromised in order to compromise your security.


The starting point of Internet interaction: a comprehensive explanation of the Handshake mechanism design of the decentralized naming system written by Andrew Lee, a co-founder of Handshake.