.. _epp: EPP === About ----- The 2022 registry platform has standardised on the globally adopted Extensible Provisioning Protocol (EPP). EPP communication between the Registrar and the Registry allows the Registrar to manage domain, host and contact objects without using the web portal. EPP is a protected service, to access the service Registrars require both an EPP account (see :ref:`Portal Accounts `) and TLS Client Certificate. Registrars must ensure that EPP requests meet EPP standards as defined by the following: * `RFC 5730 `_, * `RFC 5731 `_, * `RFC 5732 `_, * `RFC 5733 `_, and, * `RFC 5734 `_. The registry parses all incoming requests using a validating XML parser that reads the XML and validates XML syntax before processing the request. Transport Security ------------------ Communication to the EPP server is only possible via an authenticated encrypted mTLS connection over TCP/IP port 700. To connect to each IRS environment you will need a single TLS Client Certificate signed by the related Intermediate Issuing CA. * NZRS Root CA (2012) * InternetNZ IRS Production Issuing CA * InternetNZ IRS OTE Issuing CA The EPP servers currently support connections via the following protocols. * TLSv1.2 .. note:: Only one certificate will be issued per IRS environment .. _client_crt: Client Certificates ------------------- To obtain a client certificate you will need to generate a Private key and CSR (Certificate signing request) and email registry support with only the CSR attached. **Private Key** The private key must be generated within the following constraints. * Key Size: 4096 to 8192 bits. * Algorithm: RSA .. warning:: Your private key is your own, do not send it to registry support **CSR** The Certificate Request must be generated within the folling constraints. * Signature: SHA256 Signature. * Certificate Common Name (CN): environment.regid.registrarname.epp. .. note:: The regid in the request is the primary registrar id, not secondary id's .. tip:: Example CN format for `prod` and `ote` for registrar id `1234` with the name `yourtradingname` .. code-block:: shell prod.1234.yourtradingname.epp ote.1234.yourtradingname.epp * The name can contain the ``.`` character * The name cannot contain a space * The entire CN string cannot exceed 64 characters * The trading name can be abbreviated version of the full trading name * The filename of the request should be the CN string with the extension ``.crt`` .. Note: Server Certificate Validity if defined will be ignored and overriden to 2 years from date of issue. InternetNZ will return a signed client certificate which you will need to use to establish an SSL connection to the respective EPP server. IP Allowlisting --------------- EPP has a dedicated IP Allowlist, these can only be configured by the portal. .. _servers_prod: Servers and Ports ----------------- ====================== ================================ ============== ========= ============ ============= Interface Server/URL IP Port TCP/UDP: Description ====================== ================================ ============== ========= ============ ============= Portal https://irs.net.nz 103.70.24.0 443 TCP HTTP over TLS EPP epp.irs.net.nz 103.70.24.1 700 TCP EPP over mTLS TBR tbr.irs.net.nz 103.70.24.2 700 TCP TBR over mTLS WHOIS whois.irs.net.nz 103.70.24.3 43 TCP WHOIS ====================== ================================ ============== ========= ============ ============= Namespaces and Schemas ---------------------- ============================= ====================================== =============================================== Namespace Scheme XSD extensions supported by IRS: ============================= ====================================== =============================================== EPP urn:ietf:params:xml:ns:epp-1.0 epp-1.0, eppall-1.0, and eppcom-1.0 - RFC 5730 Domain urn:ietf:params:xml:ns:domain-1.0 domain-1.0 - RFC 5731 Host urn:ietf:params:xml:ns:host-1.0 host-1.0 - RFC 5732 Contact urn:ietf:params:xml:ns:contact-1.0 contact-1.0 - RFC 5733 Registry Fee Extension 0.9 urn:ietf:params:xml:ns:fee-0.9 #fee-0.9 - RFC Draft: brown-epp-fees Registry Fee Extension 0.11 urn:ietf:params:xml:ns:fee-0.11 fee-0.11 - RFC Draft: regext-epp-fees IDN urn:ietf:params:xml:ns:idn-1.0 idn-1.0 - RFC Draft: eppext-idnmap Launch Phase Mapping urn:ietf:params:xml:ns:launch-1.0 launch-1.0 - RFC Draft: regext-launchphase Domain Registry Grace Period urn:ietf:params:xml:ns:rgp-1.0 rgp-1.0 - RFC 3915 DNSSEC urn:ietf:params:xml:ns:fee-0.11 secDNS-1.1 - RFC 5910 ============================= ====================================== =============================================== .. note:: Fee 0.9 is an earlier version of the Fee extension and 0.11 is the latest version **The following are the Fury-specific custom extensions:** ============================= ====================================== =============================================== Namespace Scheme Fury extensions supported by IRS: ============================= ====================================== =============================================== Fury Generic properties urn:ietf:params:xml:ns:fury-2.0 fury 2.0 - Generic properties Fury Registry Fee Extension fury-rgp-1.0 - RGP ============================= ====================================== =============================================== EPP Commands ------------- The following EPP commands can be used by registrars to query and update objects in IRS production and OTE environments: Please also see the EPP code examples in the Portal Help section and in the IRS Registrar Guide 8.0 avaialble `here `_ login ^^^^^^ This command is to establish a session with an EPP server. Request: .. code-block:: xml user_epp password 1.0 en urn:ietf:params:xml:ns:epp-1.0 urn:ietf:params:xml:ns:domain-1.0 urn:ietf:params:xml:ns:host-1.0 urn:ietf:params:xml:ns:contact-1.0 urn:ietf:params:xml:ns:fury-rgp-1.0 urn:ietf:params:xml:ns:fury-2.0 urn:ietf:params:xml:ns:idn-1.0 urn:ietf:params:xml:ns:secDNS-1.1 urn:ietf:params:xml:ns:launch-1.0 urn:ietf:params:xml:ns:mark-1.0 urn:ietf:params:xml:ns:signedMark-1.0 http://www.w3.org/2000/09/xmldsig# urn:ietf:params:xml:ns:rgp-1.0 urn:ietf:params:xml:ns:fee-0.11 ABC-54321 .. csv-table:: :file: loginelements.csv :widths: 10, 10, 60 :header-rows: 1 Response: .. code-block:: xml Command completed successfully ABC-54321 CIRA-000055043942-0000000001 domain:check ^^^^^^^^^^^^^ This command is to check whether a domain name is available for registration. Request: .. code-block:: xml domain.nz otherdomain.nz ABC-12345 .. csv-table:: :file: domaincheckelements.csv :widths: 20, 20, 60 :header-rows: 1 Response: .. code-block:: xml Command completed successfully domain.nz otherdomain.nz CIRA-000054882110-0000000002 .. csv-table:: :file: domcheckresponcse.csv :widths: 20, 10, 60 :header-rows: 1 domain:create ^^^^^^^^^^^^^^ This command is used to create a new domain name. **.nz Business Rules** * A .nz domain must have 1 registrant contact, 1 administrative contact and 1 technical contact. There is an optional billing contact which can also be added. * A .nz domain name can have a registration period between 1 and 10 years. * A .nz domain name can have 0 or from 2 to 13 Host objects. * An Authentication code "authcode" must be provided with the registration request. Request: .. code-block:: xml anewdomain.nz 1 ns1.first.nz ns2.first.nz con1234 con1234 con1234 BdqqKh22NEg3dHz7 ABC-12345 .. csv-table:: :file: domcreate.csv :widths: 20, 10, 60 :header-rows: 1 Response: .. code-block:: xml Command completed successfully anewdomain.nz 2023-03-16T04:17:17.009Z 2024-03-16T04:17:17.009Z NZD 18.00 -432.00 ABC-12345 CIRA-000054906105-0000000002 .. csv-table:: :file: domcreateresponse.csv :widths: 20, 10, 60 :header-rows: 1 Request with DNSSEC: .. code-block:: xml dnssecdomain.nz 1 ns1.first.nz ns2.first.nz con1234 con1234 con1234 BdqqKh22NEg3dHz7 12987 3 1 8cdb09364147aed879d12c68d615f98af5900b72 ABC-12346 Response: .. code-block:: xml Command completed successfully dnssecdomain.nz 2023-03-16T22:27:43.774Z 2024-03-16T22:27:43.774Z NZD 18.00 -450.00 ABC-12346 CIRA-000055050502-0000000002 domain:info ^^^^^^^^^^^^ This command is used to retrieve information associated with a domain name. **.nz Business Rules** Registrars can only get a full response for domain objects managed by them. For domains not managed by the registrar if they specify the authcode they will get a full response. If they do not include the authcode they will get a truncated response. Request: .. code-block:: xml anewdomain.nz ABC-12995 Response: .. code-block:: xml Command completed successfully anewdomain.nz 9958301-INZ con1234 con1234 con1234 ns1.first.nz ns2.first.nz 997 997 2023-03-16T04:17:17.009Z 2024-03-16T04:17:17.009Z

2023-03-17T04:17:17.198Z

PRIVACY PUBLIC ABC-12995 CIRA-000055056702-0000000002 Response for a domain outside of registrar management and no authcode included: .. code-block:: xml Command completed successfully newtest.nz 128701-INZ ns1.tim9.nz ns2.tim9.nz 998 2022-04-26T01:30:21.280Z 2022-10-13T03:28:55.185Z 2023-04-26T01:30:21.280Z

2023-04-26T01:30:21.280Z

ABC-12996 CIRA-000055069101-0000000002 domain:update ^^^^^^^^^^^^^^ A domain update request can be used to update a domains status, contacts, hosts, authcode, privacy and DNSSEC records. Request: .. code-block:: xml first.nz ns1.example.nz ns2.example.nz ns1.timtest.nz ns2.timtest.nz Vget465jUht87hg3 PRIVACY PRIVATE PRIVACY PUBLIC ABC-12432 .. csv-table:: :file: domupdate.csv :widths: 20, 10, 60 :header-rows: 1 domain:delete ^^^^^^^^^^^^^^ This command is used to cancel a domain name. .nz Business Rules ******************** **Auto-Renew** .nz domain names auto renew at the end of their registration period. In order to remove an existing .nz domain name from the register a delete command has to be sent. **Registration and Renewal Grace Periods** .nz domain names have a 5 day Registration Grace Period, a 5 day explicit Renewal Grace Period and a 45 day Auto-renew Grace Period. Sending a delete command during any of these grace periods for a domain will undo the previous transaction and remove any billing transactions caused by the create or renew transaction from the system. Sending a delete within 5 days after registration will remove the domain name immediately from the register and the domain name is available for registration again. Sending a delete within either of the Renewal Grace Periods will undo the renewal, void the billing transaction and put the domain name in status Redemption period. **Restore from Redemption Period** A cancelled .nz domain name will be kept in the register for another 90 days under the Redemption Period status (except when canceled during Registration Grace Period). During that time the registrar will be able to fully re-instate the domain name for the registrant so that it becomes active again using the restore process. The domain name can also be transferred to a new registrar and be restored by the gaining registrar. Request: .. code-block:: xml testdomain.nz ABC-22432 Response: .. code-block:: xml Command completed successfully ABC-22432 CIRA-000055592709-0000000002 domain:restore ^^^^^^^^^^^^^^^ While in Redemption Period a domain can be restored to reactivate it. Both a restore request and a restore report are required to complete the process. .. note:: On restore from redemption, a domain will autorenew instantly for 1 year if it is past its expiry date. Restore request: .. code-block:: xml testdomain.nz ABC-32432 Restore response: .. code-block:: xml Command completed successfully NZD 0.00 -468.00 ABC-32432 CIRA-000055610507-0000000002 Restore report request: .. code-block:: xml testdomain.nz Not Applicable Not Applicable. 2023-03-20T09:08:50 2023-03-20T11:31:50 Registrant error. This registrar has not restored the Registered Name in order to assume the rights to use or sell the Registered Name for itself or for any third party. The information in this report is true to best of this registrar's knowledge, and this registrar acknowledges that intentionally supplying false information in this report shall constitute an incurable material breach of the Registry-Registrar Agreement. Supporting information goes here. ABC-32433 Restore report response: .. code-block:: xml Command completed successfully ABC-32433 CIRA-000055613114-0000000002 domain:transfer ^^^^^^^^^^^^^^^^ This command allows the transfer of management of a domain name between registrars. .nz Business Rules ******************* **When and How to transfer** Transfer for an existing domain name can be performed by registrars at any time except during the Registration Grace Period (first 5 days after domain create) or when a domain name has been locked by the registry. To transfer the management of a domain name the Auth-code needs to be provided in the transfer request which is provided by the registrant to the gaining registrar. The registrant of a domain name can request the Auth-code from their current registrar who is required to supply the information. Please check to find out how to generate a new Auth-code. **The Releasing Registrar** The releasing registrar is not able to delay the transfer, nor refuse to supply the Auth-code so the transfer cannot occur. A service message will be generated after a successful transfer to notify the releasing registrar of the transfer away. The releasing registrar will be able to retrieve this message by running the poll command. op=”request” only **Renewal** A renewal is not required as part of a registrar transfer but can be included if needed. Transfer request without renewal: .. code-block:: xml testdomain.nz authcodeauthcode ABC-42433 Response: .. code-block:: xml Command completed successfully testdomain.nz serverApproved 998 2023-03-20T00:13:02.326Z 997 2023-03-20T00:13:02.443Z 2023-03-27T19:37:21.034Z NZD 0.00 ABC-42433 CIRA-000055625102-0000000002 Transfer request with renewal: .. code-block:: xml testdomain.nz 1 passwordpassword ABC-42434 Response: .. code-block:: xml Command completed successfully authcodetest-4.nz serverApproved 997 2023-03-20T00:42:01.493Z 998 2023-03-20T00:42:01.615Z 2024-03-27T19:37:21.034Z NZD 18.00 ABC-42434 CIRA-000055629101-0000000002 domain:renew ^^^^^^^^^^^^^ This command is used to renew a domain name .nz Business Rules ******************* * a .nz domain doesnʼt expire but auto-renews automatically on a yearly basis unless the domain has been explicitly renewed for one or more years by a renewal command prior to its expiry date or * the domain name has been cancelled or * the domain name has been locked by the registry * Domain names can be renewed for up to 10 years (depending on the current expiration date). A domain name can have a expiration date up to 10 years into the future. * There is a 5 day Renewal Grace Period Renewal request: .. code-block:: xml testdomain.nz 2024-03-27 2 ABC-52434 Response: .. code-block:: xml Command completed successfully testdomain.nz 2026-03-27T19:37:21.034Z NZD 36.00 -522.00 ABC-52434 CIRA-000055633314-0000000002 poll ^^^^^ This command is to check and retrieve queued service messages Request: .. code-block:: xml Response: .. code-block:: xml Command completed successfully; ack to dequeue 2023-03-15T03:00:29.284Z Domain deltestdomain.nz has been deleted. CIRA-000055814979-0000000002 poll ack ^^^^^^^^^ This command will acknowledge and remove a message from the poll queue so that registrars can run another poll request to get the next message in line if one exists. .. note:: In the poll ack request "msgID" should match the "id" returned in the poll message. Request: .. code-block:: xml Response .. code-block:: xml Command completed successfully CIRA-000055823571-0000000002