Technical

Domain Registry vs Registrar: Understanding the Difference

By Corg Published · Updated

Domain Registry vs Registrar: Understanding the Difference

The domain name system operates through a hierarchy that confuses many investors: registries, registrars, and resellers perform different functions, charge at different levels, and provide different services. Understanding this chain explains why domain prices vary between providers, why transfers work the way they do, and why registry lock provides stronger protection than registrar lock.

Our Approach: This comparison uses structured evaluation of strengths and tradeoffs for each. Primary factors were transaction security, platform reliability, market reach. We do not accept payment or free products from any brand featured here.

Registries: The Wholesalers

A domain registry operates the authoritative database for an entire top-level domain. Verisign operates the .com and .net registries. The Public Interest Registry operates .org. Donuts (now Identity Digital) operates over 200 new gTLD registries (.app, .dev belong to Google’s registry). Country-code registries are operated by designated organizations in each country (SIDN for .nl, Nominet for .uk, DENIC for .de).

Registries do not sell domains directly to consumers (with rare exceptions). Instead, they maintain the master database of all registrations, set wholesale pricing that registrars pay per registration and renewal, operate the TLD nameservers that route DNS queries, implement registry-level policies (including lock services), and manage zone files containing all delegation records.

The wholesale price Verisign charges registrars for a .com registration is $10.26 as of 2024 (with scheduled annual increases under the Verisign-.com agreement with ICANN). This wholesale price explains why no registrar can profitably sell .com domains below approximately $9 — they would lose money on every transaction.

Registrars: The Retailers

ICANN-accredited registrars are authorized to sell domain registrations to the public. There are over 2,500 accredited registrars worldwide, though a handful dominate the market.

Major registrars and their .com pricing: Namecheap at $8.88/year (below wholesale, subsidized by other revenue), Cloudflare at $9.15/year (at-cost pricing, no markup), Porkbun at $9.73/year, Dynadot at $9.77/year, GoDaddy at $21.99/year renewal (after first-year promotional pricing).

Registrars provide the customer-facing interface for domain registration, DNS management, WHOIS privacy, transfer facilitation, and customer support. They communicate with the registry through the EPP (Extensible Provisioning Protocol) to create, renew, transfer, and delete domain registrations.

Resellers: The Sub-Retailers

Many companies selling domain registrations are not ICANN-accredited registrars — they are resellers operating under a registrar’s accreditation. Resellers add a markup to the registrar’s price and provide their own customer interface, but the actual registration happens through the parent registrar.

This matters for domain investors because reseller domains may be harder to transfer (you must go through the parent registrar’s process), support options are limited (the reseller handles first-tier support, the registrar handles technical issues), and pricing typically includes a markup over direct registrar pricing.

Check your registrar’s ICANN accreditation status at icann.org/registrar-reports. If your provider is not listed, they are operating as a reseller.

Why the Distinction Matters for Security

The registry-registrar distinction directly impacts domain security through the lock hierarchy.

Registrar lock (ClientTransferProhibited): Set by your registrar, removable by your registrar. If an attacker compromises your registrar account, they can remove the registrar lock and initiate a transfer.

Registry lock (ServerTransferProhibited, ServerUpdateProhibited): Set by the registry at the registrar’s request, removable only by the registry after manual verification. Even if an attacker fully compromises your registrar account, they cannot remove the registry lock without satisfying the registry’s separate verification process.

For premium domains worth $10,000+, registry lock through your registrar (Namecheap offers this for approximately $75/year per domain) provides protection that no registrar-level security can match.

Pricing and the Value Chain

Understanding the value chain explains pricing anomalies. Verisign charges $10.26 wholesale for .com. Namecheap sells at $8.88 — below wholesale. How? Namecheap subsidizes domain registrations through upsells (hosting, SSL, email), volume bonuses from Verisign, and new customer acquisition strategy. Cloudflare sells at $9.15 with zero markup, absorbing the small loss as customer acquisition for their other services. GoDaddy sells at $21.99 renewal, capturing $11+ per domain in margin, partly to fund their massive advertising budget.

For domain investors managing 100+ names, the registrar price difference compounds significantly. At Namecheap ($8.88), 200 domains cost $1,776/year. At GoDaddy ($21.99), the same portfolio costs $4,398/year — a $2,622 difference that directly reduces investment returns.

For more on how the technical infrastructure works, see how domain registries operate. To understand the lock hierarchy in practice, read domain locking strategies.

More in Technical

Domain Portfolio Backup Strategy: Disaster Recovery for Investors Domain Load Testing and Scalability: Preparing for Traffic Spikes Domain Redemption Period Explained: Recovering Accidentally Expired Domains Domain Migration and Redesign Planning: Moving Content Without Losing Value

View all Technical articles →