EPP Protocol¶
How do I generate a new UDAI in EPP?¶
If a new UDAI is requested by the registrant a simple <domain:update> command can be sent with a <domain:chg> element and an <domain:authinfo> child element with an empty <domain:pw> element. This will trigger an update of the UDAI, for example:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
<command>
<update>
<domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
<domain:name>internetnz.net.nz</domain:name>
<domain:chg>
<domain:authInfo>
<domain:pw></domain:pw>
</domain:authInfo>
</domain:chg>
</domain:update>
</update>
</command>
</epp>
The new UDAI is returned in a service message which can be retrieved by running a poll command.
Why can’t I retrieve a domain:pw using domain:info?¶
In .nz a domain:info command will not return the current domain password. This is a side effect of how we store the domain password/UDAI.
The SRS system was designed around the expectation that should a domain password/UDAI code be misplaced then a new code would be generated upon request rather than returning the existing password/UDAI.
In this situation the most sensible design from a security perspective was for us to store the domain passwords/UDAI codes using salted cryptographically secure hashes/one-way encryption as per best practices for storing passwords. This means we are unable to return the original password.
Why can’t I set my own domain:pw on a domain?¶
Under existing .nz systems and policies the registry is responsible for the system-generated UDAIs and we have no provision to allow a registrar to set a UDAI even if this UDAI would meet our UDAI generation criteria.
We are currently reviewing these implementation details.
How do I set or update nameserver IP glue in .nz EPP?¶
To update the IP address of an in-zone host nameserver, the current nameserver must be overwritten using the domain:add element, with the new IP address being specified.
To add an in-zone host nameserver, the nameserver must be added using the domain:add element, with the new IP address being specified.
To remove an in-zone host nameserver, the nameserver must be removed using the domain:rem element. The ipv4 or ipv6 address will be ignored if specified.
Please note: Do not use the domain:add and domain:rem together for the same nameserver if the purpose is to update the IP address. Use the domain:add element only.
Each nameserver can have two domain:hostAddr glue records, one for ipv4 and one for ipv6.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
<command>
<update>
<domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
<domain:name>exampledomain.ac.nz</domain:name>
<domain:add>
<domain:ns>
<domain:hostAttr>
<domain:hostName>ns2.exampledomain.ac.nz</domain:hostName>
<domain:hostAddr ip="v4">1.2.3.4</domain:hostAddr>
<domain:hostAddr ip="v6">1080:0:0:0:8:800:200C:417A</domain:hostAddr>
</domain:hostAttr>
</domain:ns>
</domain:add>
</domain:update>
</update>
<clTRID>updatedomain-2014-06-24-example</clTRID>
</command>
</epp>
As a quick reminder the glue is only used if the nameservers for the domain are “in-bailiwick” (i.e. the nameservers for a domain are under the domain itself). If you provide glue for nameservers which are not in-bailiwick then this will be silently dropped by SRS.