EPP Protocol
============

How do I generate a new UDAI in EPP?
------------------------------------

If a new UDAI is requested by the registrant a simple <domain:update> command can be sent with a <domain:chg> element and an <domain:authinfo> child element with an empty <domain:pw> element. This will trigger an update of the UDAI, for example:

.. code-block:: xml

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
      <command>
        <update>
          <domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
            <domain:name>internetnz.net.nz</domain:name>
            <domain:chg>
              <domain:authInfo>
                <domain:pw></domain:pw>
              </domain:authInfo>
            </domain:chg>
          </domain:update>
        </update>
      </command>
    </epp>

The new UDAI is returned in a service message which can be retrieved by running a poll command.

Why can't I retrieve a domain\:pw using domain\:info?
-----------------------------------------------------

In .nz a domain:info command will not return the current domain password. This is a side effect of how we store the domain password/UDAI.

The SRS system was designed around the expectation that should a domain password/UDAI code be misplaced then a new code would be generated upon request rather than returning the existing password/UDAI.

In this situation the most sensible design from a security perspective was for us to store the domain passwords/UDAI codes using salted cryptographically secure hashes/one-way encryption as per best practices for storing passwords. This means we are unable to return the original password.

Why can't I set my own domain:pw on a domain?
---------------------------------------------

Under existing .nz systems and policies the registry is responsible for the system-generated UDAIs and we have no provision to allow a registrar to set a UDAI even if this UDAI would meet our UDAI generation criteria.

We are currently reviewing these implementation details.


How do I set or update nameserver IP glue in .nz EPP?
-----------------------------------------------------


To update the IP address of an in-zone host nameserver, the current nameserver must be overwritten using the domain\:add element, with the new IP address being specified.

To add an in-zone host nameserver, the nameserver must be added using the domain\:add element, with the new IP address being specified.

To remove an in-zone host nameserver, the nameserver must be removed using the domain\:rem element. The ipv4 or ipv6 address will be ignored if specified.

Please note: Do not use the domain\:add and domain:rem together for the same nameserver if the purpose is to update the IP address. Use the domain\:add element only.

Each nameserver can have two domain:hostAddr glue records, one for ipv4 and one for ipv6.

.. code-block:: xml

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
      <command>
        <update>
          <domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
            <domain:name>exampledomain.ac.nz</domain:name>
            <domain:add>
              <domain:ns>
                <domain:hostAttr>
                  <domain:hostName>ns2.exampledomain.ac.nz</domain:hostName>
                  <domain:hostAddr ip="v4">1.2.3.4</domain:hostAddr>
                  <domain:hostAddr ip="v6">1080:0:0:0:8:800:200C:417A</domain:hostAddr>
                </domain:hostAttr>
              </domain:ns>
            </domain:add>
          </domain:update>
        </update>
        <clTRID>updatedomain-2014-06-24-example</clTRID>
      </command>
    </epp>

As a quick reminder the glue is only used if the nameservers for the domain are "in-bailiwick" (i.e. the nameservers for a domain are under the domain itself). If you provide glue for nameservers which are not in-bailiwick then this will be silently dropped by SRS.