Introducing .badass Domains

Mike Carson
7 min readFeb 28, 2021

This is an article about how and why Impervious is selling decentralized .badass domains, which you can register and manage right now at The .badass top-level domain (TLD) is part of the Handshake decentralized root zone, which I’ll describe in a moment. But first, let me explain why we didn’t try to secure .badass through ICANN.

What it would take to get .badass as an ICANN TLD

Registering a new ICANN TLD is a very costly and time consuming process. But before we could even start that process, we would have to wait for the next available window when ICANN accepts applications for new TLDs. The window is only open for about 45–60 days, and it has only happened in 2000, 2005 and 2012. I am told that another window may open in the next 12–30 months. Regardless of when it happens, we would have to wait a while — at least a year.

Assuming another window does open, the next step is the Application & Evaluation Process, of which the shortest path for a successful application would be “to pass Administrative Check (lasting 2 months), Initial Evaluation (lasting 5 months) and then move to Pre-delegation (lasting approximately 2 months) without any Objections filed or String Contention concerns.” Best case scenario: it’s a one-year process, but ICANN is only now releasing some new TLDs from the 2012 application window (~9 years later).

Even after the wait, it is possible that multiple parties could apply for .badass, which would generate an auction for the competing applicants. The .web TLD cost Verisign $140M in such an auction and they still don’t have control over the TLD because it is in dispute.

Yet another possibility is that the TLD could be put into a community standards review group by an ICANN stakeholder (e.g. the Governmental Advisory Committee) who thinks it is not a suitable name. The .xxx TLD was applied for in 2005, but the Governmental Advisory Committee added 5 or 6 years delay to the approval process because they thought it might introduce porn to the internet 😂.

So that covers the time costs. Now, let’s talk about the fees. There is a non-refundable “evaluation fee” of $185,000. You also have to pay a “per unit” fee to ICANN with a minimum cost of $25k per year. There are also the fees to run a registry system, lawyer fees, etc.. All in all it will probably cost at least $1M, and as I mentioned with .web above, the potential cost could be over $100M.

Clearly it is only possible for large companies to register ICANN TLDs, not normal internet users who, for example, can now only buy individual .com domains. And these companies typically have to rely on a similar business model as other TLDs, which is to market and sell subdomains under them.

How we got .badass on Handshake

.badass is currently a TLD on the decentralized root zone Handshake, which is built on a proof of work blockchain.

After the auction for the name .badass was opened, we placed a bid of 1001 HNS, which turned out to be the highest bid. When the auction ended, we paid the 2nd highest bid of 190 HNS, which at the time was worth around $19. You can see the auction history here.

That 190 HNS was not paid to anyone, it was simply “burned” (permanently removed from circulation).

This auction process was quick and painless, which is in stark contrast to the ICANN process, and it’s one of the things I love the most about Handshake. Unlike ICANN TLDs, Handshake TLDs can be registered by anyone — by normal people instead of large companies — and there can be other uses for TLDs besides what we see on the internet now. I believe it will open up the internet and make it more free and creative.

Another advantage to Handshake is that it removes the need to trust Certificate Authorities (CAs). Currently when you visit an https website, you have to trust the CA that issued the certificate. With Handshake, you can set up DANE, so that internet traffic to the domain can be encrypted using only DNS.

Decentralized second-level domains

Second-level domains are the part of the domain before the TLD. For example with the domain name total.badass, the word “total” is the second-level domain. Having second-level domains greatly expands the namespace. It makes it so that there are a lot more cool and memorable names available for registration.

There are already decentralized second-level domains on the internet. Ethereum Name Service allows users to register second-level domains under the .eth TLD. Other services like Unstoppable Domains (.crypto) and Namecoin(.bit) are similar in theory. But what is interesting about these other projects is that their TLDs are not anchored in any root zone. They are orphaned. Some may be vying to get their TLD on ICANN, but in my opinion the value of a decentralized second-level domain is greatly decreased if it is anchored in a centralized root zone.

This is why .badass domains are so badass. Because they are the first decentralized second-level domains anchored into a decentralized root zone. You don’t have to trust anyone and you completely own your .badass domain.

First, we set the NS for the .badass TLD to point to the ENS contract that we deployed (using HIP-0005 format):

"records": [
"type": "NS",
"ns": "0x36fc69f0983E536D1787cC83f481581f22CCA2A1._eth."

Handshake uses bitcoin-like redeem scripts, so we then used this to make the .badass TLD uneditable by anyone:

0x08 // RENEW

Handshake is a fork of Bitcoin, with added covenants, so we can use this script to prove to second-level domain owners that they do not need to trust the owner of the .badass TLD, because it can’t be changed. This script says that the only transaction that is acceptable is a RENEW transaction, and it can be done by anyone. So, no one can update the name .badass, but anyone can renew it. For more detailed information, check out this test for hsd created by Matt Zipkin.

.eth names are decentralized in a way, because they exist as smart contracts on Ethereum, but the registry contract is owned by key holders. So, you have to trust that the key holders will not take your second-level .eth domain away.

ENS is awesome, and I think there is enormous opportunity for collaboration between Handshake and ENS. They have graciously open sourced their code, so we forked it and created our own ENS registry for .badass. We have also open sourced our code so that anyone with a Handshake TLD can do the same thing that we have done with .badass.

We, however, have transferred ownership of the ENS registry contract to a burn address as proof that no one owns the registry. In this way, second-level .badass domain owners do not need to trust the registry, because no one controls it. The TLD .badass is out of our control, no one controls it now — it has a life of its own from now on.

How do I resolve .badass domains?

To resolve .badass domains, you can either set your system DNS servers to these temporary addresses which we have set up for convenience:

Or (preferably) you can install hsd and run it with the Handover plugin we have created, which resolves ENS names using HIP-0005 and EIP-1185.

Once you set it up you can test by resolving this name in your browser:


What is cool is that this is also the first way to resolve .eth domains with DNS. For example, using our plugin, you can view this domain in your browser:


In this way, we have kind of adopted .eth into Handshake — it can be resolved as any other TLD using Handover. This is the first implementation of EIP-1185 (DNS on ENS).

Eventually we expect resolving names will become much simpler as more browsers and DNS service providers enable resolution for Handshake in the future.

Downsides to this approach

Gas fees are high on Ethereum — it cost us over $1k to deploy these contracts. It will also add friction to domain registration and updates. This is a problem for all of ENS and there are proposals for how to fix this.

When you lock the Handshake name or ENS Registry contract, no one else (including you) can update it ever again. If any issues come up, they can’t be fixed. It is not possible to migrate to a new system. Once the ENS Registry contract is locked, no more TLDs can be added to it. If you want to add new TLDs, you will have to deploy another ENS Registry contract for them. Integrating multiple ENS Registry contracts in code / libraries may be more difficult.

Handshake gets to the root of the problem

A huge obstacle to innovation and freedom on the internet is the gated TLD namespace, which is controlled by ICANN. Handshake breaks opens the gates and will lead to a flood of innovation and freedom.

Handshake gets to the root of the problem by decentralizing the DNS root zone. It takes the internet back from the large companies who own and control it now, and gives it to the people.

Decentralized second-level domains like .badass will greatly expand this namespace and open the doors for a whole new internet.