NIXI is busy: From routing to securing domains, the internet exchange has got newer mandates now

Representative image

As India faces growing threats in the digital domain amid heightened geopolitical tensions, including the recent conflict with Pakistan, the country's cybersecurity response is no longer just about firewalls and advisories.

A relatively quiet public sector entity, the National Internet Exchange of India (NIXI) is rapidly becoming a foundational force behind India’s digital sovereignty. And its role has never been more critical.

“The last two to three weeks have been very hectic,” says Devesh Tyagi, CEO of NIXI, referring to the recent spate of cyberattacks in the wake of the India-Pakistan conflict.

“We can’t curb all frauds, but we can minimise them and ensure that the person is identified — from where this fraud has happened.”

Early roots, starting with local routing 

NIXI’s journey began in 2003 with a straightforward goal — to reduce India’s reliance on foreign servers by establishing domestic Internet Exchange Points (IXPs).

“Exchange point is an interconnection of ISPs (Internet Service Providers), which was established to keep our data — which is meant for the country — routed within the country,” explained Tyagi. “It was primarily to ensure that the network, or internet, what we call network of networks, is accessible to one and all without any delay,” he said.

Formally incorporated on June 19, 2003, under Section 8 of the Companies Act as a not-for-profit organisation, NIXI was envisioned to promote local internet peering, reduce international bandwidth costs, and improve service quality for ISPs.

NIXI also took the responsibility of allocating IP addresses and Autonomous System (AS) numbers within India through its division, the Indian Registry for Internet Names and Numbers (IRINN) — a foundational task that enables the core functioning of internet networks across the country.

From its early days with just four exchange points, NIXI has grown its footprint to 77, with many located in Tier 2 and 3 towns. “We work on a slogan, ‘Internet for All’,” Tyagi said. “Our motive is that the services which are accessible to a common person in metro cities should also be available to that common person, far from metros — say, Tier-2 cities in hilly regions.”

This technical groundwork and network expansion paved the way for a more strategic responsibility. In 2004, the government delegated the operations of the .in domain — India’s Country Code Top-Level Domain (ccTLD) -- to NIXI, which now manages it through its INRegistry division. “When we started, we had around 1,000 domains. As on date, we have around 42 lakh,” the CEO said.

Fight against digital impersonation 

So, why does control over ‘.in’ matter? Tyagi explained the critical difference between ccTLDs like ‘.in’ and globally governed domains like ‘.com’. “When we call it a ‘.in’ domain, it is basically managed by a country. The rules can be framed by the country itself or the agency managing that particular domain. For gTLDs (Generic Top-Level Domains), there are global rules which we can’t interfere in.”

This freedom to set local policy became essential in the fight against digital fraud. “There was a study by CERT-In (Indian Computer Emergency Response Team), around six years back, which found that, out of the total frauds in our country, 67 percent were in the name of financial institutions and banks,” Tyagi said.

The frauds often worked through phishing links — fake websites made to look like real banks. “What the fraudsters generally do is that they will send a link, and when people click on that, they will be in the firing line.”

That’s when the RBI approached MeitY (Ministry of Electronics and Information Technology), and NIXI proposed a two-domain solution. “We will be creating .bank.in zone for banks and .fin.in for financial institutions,” Tyagi said.

“Under these domains, an RBI-appointed agency will be managing the allocations,” he said.

For example, if State Bank of India wants a domain, it would be issued sbi.bank.in only through Hyderabad's Institute for Development and Research in Banking Technology (IDRBT), the tech arm of the RBI.

“Since IDRBT is part of Ministry of Finance and RBI, it will ensure that it (domain) goes to the genuine party.”

The goal is straightforward: “It enhances trust. Users should see that any link coming from .bank.in or .fin.in is the only genuine link for banking transactions.”

Implementation is already in progress. “In the next six months, all banks will be migrated to .bank.in, and .fin.in will start thereafter. I would say that in around one year, these things will be in place. These two zones will be saving our country — our hard-earned money — from frauds.”

MSME and tourism sectors next

NIXI is now in talks with other ministries to create additional verified zones. “We are in talks with MSME ministry — .msme.in may come,” Tyagi said. “We are in talks with the tourism ministry, so that .tourism.in may come. These zones will be saving our services.”

As with .bank.in, the idea is to decentralise domain approvals through nodal ministries. “Allocations under that will be done by the agency nominated by that particular ministry, which will ensure safety and security,” he said. “The zones under ‘.in’ are already safe — but this adds another layer.”

KYC, AI and blacklists

To prevent misuse of ‘.in’ domains, NIXI has revamped its domain registrar agreement as well. “We had revised that agreement around six months back,” Tyagi said, “and it is still under implementation, wherein we made certain provisions to make it safe and secure.”

The first key reform--Mandatory eKYC and dual authentication. “All allocations done under .in will now be safe and secure, because we ask all details — including email and a valid mobile number.”

The second step is even more advanced — the use of AI to stop repeat offenders. “We are creating a database of people who have done fraud previously — we will keep their email and mobile in one record,” he said. “If that person or intruder tries to access or get some other domain again, we will reject it at the registry level. Unless he proves it otherwise.

“These steps don’t directly prevent a sophisticated cyberattack — but they make it harder for malicious actors to repeatedly exploit the same infrastructure using fake or recycled credentials. In moments of geopolitical tension, such safeguards act as an early filter — ensuring that India’s internet stack isn’t easily manipulated or spoofed from within. It’s about tightening the gates,” Tyagi said.

Why browsing patterns must stay in India

Another critical but lesser-known aspect of digital sovereignty is the HTTPS certificate — the lock icon users see on websites. But India hasn’t issued its own, yet.

“Currently, we are not able to provide HTTPS. We have to take it from other countries or global players,” Tyagi pointed out. “So, what we had started, along with CCA (Controller of Certifying Authorities), is a project under implementation. Within the next one year, we will have our own root Web Trust-certified security server — our own version of HTTPS.”

This is vital for two reasons. “First of all, all the browsing patterns currently, when we are browsing our internet, is going to the outside world. It will remain within the country,” Tyagi said. “Second, we will be able to implement the policies which our MeitY will decide.”

What if the internet is cut off? NIXI’s resilience blueprint

One of the most forward-looking initiatives NIXI is building is the Internet Resilience Policy — a plan for digital continuity in case India is cut off from the global internet. “We are coming with an internet resilience policy for our country,” Tyagi said.

The objective is to ensure that critical services remain functional even if international links are severed. “Under internet resilience, we will be using ‘.in’ domain and our exchange points. All the ISPs — if they are connected to some exchange point — and those are interconnected and managed by the root server of .in domain… we are the authoritative server.”

What this means is that even in the worst-case scenario, people with ‘.in’ domains and domestic IPs will still be able to resolve and access key services. “All those people who are having IP addresses from NIXI and .in domains —can be resolved. We will be able to give these critical services to our government.”

Tyagi said the ministry has already issued advisories. “I am thankful to my ministry. They have written to all the other ministries and departments — that they should now migrate to .in domains.”

India’s browser moment and blockchain use case

As part of building self-reliance at every layer, MeitY recently launched a browser challenge, wherein NIXI is a partner. “We thought we should have our own country’s browser,” Tyagi said. “Because suppose a war or something happens, our cables are cut — then other problems are there.”

Along with the new HTTPS infrastructure, the goal is a complete local stack. “From IPv4/IPv6 addresses to browsers to HTTPS — we are trying to put everything in place,” he said. “We are basically building Bharat into these things — digitally.”

Blockchain is in the roadmap too. “It has started at the global level. Policies are being formed — it is in the starting stage. But we have also started consultations with ICANN (Internet Corporation for Assigned Names and Numbers). We will be taking blockchain and AI into our registry software in future as well.”

From managing IP address allocations to securing verified domains for banks and public services, NIXI’s role has steadily expanded beyond its original mandate as an internet exchange. “We are just trying to ensure that our country is self-aligned at every level,” the CEO said. “We are not just using the internet. We are becoming a sovereign part of it.”