Introducing .forever Domains

Mike Carson
6 min readAug 3, 2021


This is an article about how and why Impervious created decentralized .forever domains, which you can register and manage right now at The .forever top-level domain (TLD) is part of the Handshake decentralized root zone, with second-level domain registrations managed via a fork of ENS.

Why we launched .forever domains

If you register a domain on a traditional ICANN TLD (e.g., .com, .org, etc.), you don’t actually own that domain. You’re renting it from a registrar, and if your lease expires, the domain will be taken away from you. This has happened to a number of companies over the years, including Microsoft (twice), the Dallas Cowboys, and Regions Bank. It continues to happen to countless other companies and individuals on a daily basis.

Even if you renew your lease, there are multiple organizations that have the ability to censor and take control over your domain. For example, if you register, the following organizations control it and can censor it: ICANN, the .com registry (Verisign), and the registrar you used to register the domain (e.g., GoDaddy). Anyone working for these organizations with sufficient access can remove your control of the domain.


Unfortunately, this isn’t a hypothetical problem. It happens all the time. Services such as Sci-Hub are constantly changing domains because governing bodies seize and censor them. The FBI famously seized the top three largest poker domains. JotForm had its domain seized for three days in 2012. A hacker took control of all .io domains by registering the domain of a name server that the registry let expire.

There are also numerous examples of individuals losing access to domains for political reasons. Recently, 81,000 UK-owned .eu domains were suspended when the Brexit transition ended, and the Spanish government seized the .cat TLD registry and deleted domains promoting a referendum for Catalina to declare itself independent from Spain.

Finally, there are multiple services around domain names (e.g., escrow services, domain name marketplaces, etc.) in which you need to trust other organizations as middlemen. If any of these middlemen are compromised, you can easily lose control of your domains.

To address all of these problems, we created .forever domains. When you register a .forever domain, you are the only person that can control it, and the domain never expires, which means you never have to renew it. Also, since .forever domains are stored on a blockchain, they cannot be seized or censored, and you don’t have to trust or rely on middlemen. So you truly own your .forever domain, completely and forever. You can get [your family name].forever and pass it down from generation to generation.

How to register .forever domains

We’ve created a step-by-step guide to help you register .forever domains. You can also buy them from registrars like and

How to resolve .forever domains

UPDATE: Now you can use Beacon browser to easily resolve .forever domains:

We’ve created an open source menu bar app called Fingertip that uses hnsd, an SPV resolver daemon for the Handshake network, plus Ethereum, to make it easy to resolve .forever domains. The app also helps render https with DANE. You can download it here and view the source code here. Check out how easy it is to set up:

You can also install hsd and run it with the Handover plugin we have created, which resolves ENS names using HIP-0005 and EIP-1185.

Once you’ve done this, you can test it out by resolving this name in your browser:


Bonus points if you can resolve https with DANE:


What is awesome about this is that by clicking the link above, you are viewing the site with a completely secure and encrypted connection that is independent of any third party Certificate Authority.

Eventually, we expect resolving names will become even easier as more browsers and DNS service providers enable resolution for Handshake in the future.

How .forever was implemented

.forever is a TLD on the decentralized root zone Handshake, which is built on a proof of work blockchain. People can open auctions and bid on TLDs directly using the Handshake protocol. Once the auction is over and the winner has registered the name, it is only owned and controlled by the wallet that registered the name.

To create truly decentralized second-level domains, we must remove the control that the owner of the TLD has over the TLD. We need to prove that the owner of the TLD will not suddenly “pull the rug” out from all of the second-level domain owners by changing the records for the TLD.

To do this, we first set the NS for the .forever TLD to point to the ENS contract that we deployed (using HIP-0005 format):

"records": [
"type": "NS",
"ns": "0x0001af047E9fb5dCD99E6823C900f3D8f5b2c5f4._eth."

Handshake uses Bitcoin-like redeem scripts, so we then used the following script to make the .forever TLD uneditable by anyone:

0x08 // RENEW

Handshake is a fork of Bitcoin, with added covenants, so we can use this script to prove to second-level domain owners that they do not need to trust the owner of the .forever TLD, because the data currently on the blockchain for the TLD can no longer be changed. This script says that the only transaction that is acceptable is a RENEW transaction, and it can be done by anyone. So no one can update the .forever TLD, but anyone can renew it. The .forever TLD is now unowned by anyone (for more detailed information, check out this test for hsd created by Matt Zipkin).

Control of the ENS contract also needs to be provably removed; otherwise, the owner of the contract could update it and pull the rug out from second-level domain owners by removing control of their domains. We have transferred ownership of the ENS registry contract to a burn address as proof that no one owns the registry. In this way, owners of second-level .forever domains do not need to trust the registry because no one controls it. The .forever TLD is completely out of our control. No one controls it — it has a life of its own from now on.

Why this is better than other solutions

There are already decentralized second-level domains on the internet. Ethereum Name Service allows users to register second-level domains under the .eth TLD. Other services like Unstoppable Domains (.crypto) and Namecoin (.bit) are similar in theory. But there are no integrations for traditional DNS records on .eth and .crypto, so you can’t view them in a browser or with https. The best you can do is redirect the name to a traditional domain or to a static IPFS page. The .eth, .crypto, and .bit TLDs are also orphaned — they are not anchored in any root zone.


We made the decision to anchor .forever in the decentralized root zone Handshake, which is built on a proof of work blockchain (a fork of Bitcoin). An advantage of Handshake is that it removes the need to trust Certificate Authorities (CAs). Currently, when you visit an https website, you have to trust the CA that issued the certificate. With Handshake, you can set up DANE, so that internet traffic to the domain can be encrypted using only DNS. We have added support for https on .forever and you can use this easy 2-step process to generate an SSL certificate and TLSA record to set this up for your .forever domain.


Truly decentralized domain names that support DNS and https are essential to the freedom of the internet. It’s even better when they never expire so that you can be confident that you will own them forever. We are really happy to launch the first domains of this kind and look forward to seeing how it plays out. If you have any questions, please reach out:



Mike Carson