Jump to content

.onion

.onion is a Special-Use Domain Name designating Tor onion services. It is not part of the public DNS root, being resolved inside the Tor network rather than via ordinary DNS queries.[1][2] The designation gives Tor’s naming scheme an explicit place in the broader system of Internet identifiers without delegating a TLD in the ICANN-administered root zone.

Role in Tor Onion Services[edit | edit source]

Onion services (formerly called "hidden services") use .onion hostnames to provide end-to-end encrypted and anonymised connections in which both client and service locations are obscured by Tor’s onion routing protocol.[1][2] An onion address is derived from the service’s public key; "version 3" addresses are 56-character base32 strings that encode a key plus checksum and version information.[2]

Tor-aware applications, most notably the Tor Browser, treat .onion as belonging to a separate naming system, calling Tor’s rendezvous protocol, while other hostnames continue to be resolved via the local DNS resolver.[3]

Registration as a Special-Use Domain[edit | edit source]

Before formal standardisation, .onion functioned as a de facto pseudo-TLD used only by Tor. RFC 7686 registers .onion in the IANA Special-Use Domain Names registry under the framework defined by RFC 6761, and specifies how software should treat it.[1][4]

The RFC instructs DNS software not to forward .onion queries to the public DNS, and reserves the label from delegation in the DNS root.[1] The goal is to reduce accidental leakage of onion addresses into the DNS infrastructure and to ensure that future new gTLD rounds cannot delegate .onion in a way that conflicts with Tor’s naming system.[2][5]

ICANN material explaining the "dark web" therefore emphasises that .onion is reserved and was never delegated from the public DNS root, countering the recurring misconception that it is a normal gTLD.[6]

HTTPS and Web PKI[edit | edit source]

Although Tor onion services are already authenticated at the protocol level (the hostname encodes the service’s key), some sites deploy HTTPS on top of Tor to integrate with the public Web PKI and to reuse browser security indicators.[7]

Prior to RFC 7686 and related policy changes, certificate authorities could only issue certificates for .onion names as "internal names", and those certificates were subject to early expiry under CA/Browser Forum rules.[2] After .onion was recognised as a special-use domain, CA/Browser Forum Ballot 144 added explicit validation rules for .onion names and permitted EV certificates for onion services under specific conditions.[8][9]

Subsequent ballots and revisions created an explicit definition of an "Onion Domain Name" as any FQDN ending in the RFC 7686 .onion label and moved the validation rules into an Appendix that allows DV and OV certificates for version 3 onion addresses.[10][11] In practice, Tor documentation notes that only a small number of CAs issue publicly trusted certificates for onion services, and that support is often manual and limited compared with ordinary DNS-based domains.[7]

Internet Governance and Alternative Naming[edit | edit source]

From an Internet governance standpoint, .onion is a prominent example of an alternative naming system that coexists with the public DNS while sharing the same perceptive space. ICANN’s SSAC has repeatedly cited .onion when describing “uses of the shared global domain name space” by systems that are not part of DNS but still rely on familiar domain-name syntax.[5] SAC123, on the evolution of the Internet name space, points to Tor’s use of .onion as an instance where an application-level naming system bypasses administrator-controlled DNS settings and may complicate efforts to maintain a single, coherent namespace.[3]

These discussions place .onion alongside other alternative or non-DNS namespaces (such as .alt labels and blockchain-based naming) in debates about name collisions, user expectations, and the long-term stability of Internet identifiers. RFC 7686 and the corresponding IANA registry entry can be read as an attempt to document this reality and to provide minimal coordination between protocol design, certificate policy, and ICANN’s role in managing the public DNS root, without bringing onion services under ICANN’s contractual remit.[1][4][3]

See Also[edit | edit source]

References[edit | edit source]

  1. 1.0 1.1 1.2 1.3 1.4 J. Appelbaum, A. Muffett, "The '.onion' Special-Use Domain Name", RFC 7686, IETF, October 2015.
  2. 2.0 2.1 2.2 2.3 2.4 ".onion", Wikipedia (accessed 2025-12-02).
  3. 3.0 3.1 3.2 ICANN SSAC, "SAC123: SSAC Report on the Evolution of the Internet Name Space", 15 December 2023.
  4. 4.0 4.1 "Special-use domain name", Wikipedia (accessed 2025-12-02).
  5. 5.0 5.1 ICANN SSAC, "SAC078: SSAC Advisory on Uses of the Shared Global Domain Name Space", 16 February 2016.
  6. ICANN, "The Dark Web: The Land of Hidden Services", 27 June 2017.
  7. 7.0 7.1 Tor Project, "HTTPS for your Onion Service" (accessed 2025-12-02).
  8. CA/Browser Forum, "Ballot 144 – Validation rules for .onion names", 18 February 2015.
  9. DigiCert, "Onion Officially Recognized as Special-Use Domain", 11 September 2015.
  10. CA/Browser Forum, "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates", v2.1.9, 10 November 2025.
  11. CA/Browser Forum, "Ballot SC27v3: Version 3 Onion Certificates", 20 February 2020.

Request For Comments. Archival series dedicated to documenting Internet technical specifications, including general contributions from the Internet research and engineering community as well as standards documents (RFC Editor Model, Version 3).

HTTP over Transport Layer Security (TLS), distinguishing secured traffic from insecure traffic by the use of a different server port (RFC 2818).

X.509 Public Key Infrastructure for the Internet (RFC 5280).

Security and Stability Advisory Committee. Advises the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems (ICANN Bylaws).

Retrieved from "https://icannwiki.org/index.php?title=.onion&oldid=1398482"
Semantic properties for ".onion"
RDF feed