What is the SRS Transaction Rate limit?¶
The SRS transaction rate limit is currently set to a maximum of 15 (fifteen) requests per second as a rolling average. If you exceed this rate limit SRS will begin rejecting requests and will continue to do so until the rolling average drops below 15 requests per second again.
To assist registrars with managing their transaction request rates the SRS provides an additional HTTP response header as part of SRS communications. There is no requirement for registrars to use this header, however it does provide information to assist them in tuning their applications to get the best possible throughput from SRS – if that is important to them.
The following is an example of the HTTP response header:
HTTP/1.1 200 OK Date: Mon, 12 Feb 2007 22:50:31 GMT Server: Apache X-resource-consent: RegistrarRequestLimit,2,15 Connection: close Content-Type: application/x-www-form-urlencoded
In this example you can see the RegistrarRequestLimit returned and has two values. The first value is the number of requests per second received at the front end and the second value is the current limit. So in this example we have a rate of 2 requests per second for this registrar and the limit is 15 requests per second.
The following is an example of the XML error response returned if the rate is exceeded:
<NZSRSResponse VerMajor="1" VerMinor="38"> <Error ErrorId="CONSENT_ERROR" Hint="INVALID_REQUEST_ERROR" Severity="err"> <Description><![CDATA[Request denied due to resource limits being exceeded]]></Description> <ErrorDetails><![CDATA[RegistrarRequestLimit,17,15]]></ErrorDetails> </Error> </NZSRSResponse>
In this example you can see the RegistrarRequestLimit returned has a rate of 17 requests per second for this registrar and the limit is 15 requests per second.
The rate limit value is rounded down to the nearest whole number.
Why is there a transaction rate limit?¶
InternetNZ set the SRS Request Rate Limit in order to protect the stability of the SRS and to share the SRS resources equally between registrars. There is a SRS Resource Manager that manages the SRS resources if the SRS comes under excessive load from one or more registrars.
Please refer to the following link for details and examples: SRS Resource Manager.
How do I access the droplist/released names list?¶
If you intend to automate your droplist process we recommend you make use of the REST API GET droplist functionality, however if you are simply wanting to check the droplist manually you can access this via the registrar Portal: https://registrars.internetnz.nz/opportunities/drop-list
What is the process to follow for names that are being released by the SRS?¶
For names that are being released by our nightly process please ensure that you only send a DomainCreate request after you have performed a valid SRS/EPP availability check using the WHOIS or INFO commands. The purpose of the availability check is to ensure that a minimum number of DomainCreate requests are sent to SRS and that they are not sent before our release process has finished.
The release maintenance window runs from 00:29:00 to 00:34:00 and all names should be released during this maintenance window. Please ensure that your availability checks are only sent in the period just prior to the end of the window (starting from 00:33:45 should be sufficient). Sending availability checks throughout the majority of the window could result in the name being skipped by our released job due to lock errors and thus being released in the following window.
If the domain is Active, locked or with another registrar to not send a DomainCreate, and do not send any further availability checks.
If the name has not been released you can continue sending availability checks for a short time after release time. If it has not been released after half an hour it probably won’t be released and your availability checks should stop.
If the DomainCreate fails with the message “Create requested for a registered domain”, do not send any further DomainCreate requests as the name has already been taken.
If the DomainCreate fails with the message “This domain is not allowed to be registered, please contact Registry support” the domain is currently on the Conficker blacklist and will not be released until a future released-names window. Please follow the standard Conficker blocked names procedure unless you have been advised by the DNC that due to competition for the name it will be released automatically during an upcoming released-names window, at which point it is safe to attempt to register the domain for up to 30 minutes following each released-names window until the domain is either registered successfully or taken by another registrar.
Registrars should limit the rate of transactions being submitted to SRS to no more than 15 transactions per second. Should SRS be disabled by a registrars actions we may be required to withdraw that registrar’s access to SRS without further notice.
What causes DOMAIN_BLOCKED messages when registering a domain?¶
<Error ErrorId="DOMAIN_BLOCKED" Hint="INVALID_REQUEST_ERROR" Severity="err"> <Description>This domain is not allowed to be registered, please contact Registry support </Description> <ErrorDetails>dqal.co.nz</ErrorDetails> </Error>
This is the error message reported by SRS when a domain name is on the Conficker blacklist.
The Conficker blacklist was part of the .NZ registry response to the Conficker C worm, which was the first variant of the Conficker worm to included the .nz ccTLD as part of the worm’s domain generation algorithm. Domains which are listed on the SRS Conficker blacklist cannot be immediately registered, though under normal circumstances you can follow the procedure for handling Conficker blocked names as documented below.
There is no impact on existing domain holders should their domain become listed on the Conficker blacklist, however their DNS servers may see an unusual number of queries on the active date from systems still carrying the worm.
Despite the fact this worm was first detected over four years ago there are still a surprising number of Conficker-infected systems, and as such it is still considered best-practice for registries to continue blocking these domain registrations during the high-risk periods surrounding the “active” date for each domain. For further information on the Conficker C worm you may be interested in the following document: http://mtc.sri.com/Conficker/addendumC/
Upon receiving this message under normal circumstances registrars should follow this procedure:
The registrar should let the registrant know that the registration was not successful and that they should contact the Domain Name Commission (DNC) via email@example.com
The DNC will verify the registration with the registrant.
If the DNC approves the registration they will pass details on to InternetNZ.
The registrar will liaise with InternetNZ to establish an appropriate time for the domain to be removed from the blacklist at which point the registrar should immediately register the domain on behalf of the registrant.
What causes MISSING_MANDATORY_FIELD (UDAI) errors?¶
This error usually indicates that the domain name is not managed under the registrar you are trying to update the domain with. To update a domain name that is not under your management you need to provide the UDAI for the domain name. If the UDAI provided is valid then the domain name will be transferred over to you and updated.
What is the registration grace period?¶
The registration grace period is set to 5 (days). This is the period after initial registration that a Registrar may cancel a domain and not be billed for the domain and the domain name is released back to the available pool of names. It is also the period during which a Registrant may not transfer the management of a domain to another Registrar after initial registration.
What is the renewal grace period?¶
The renewal grace period is set to 5 (days). This is the period after a domain is renewed that a Registrar may cancel a domain without being billed for the renewal period.
When does the Grace Period end?¶
The grace period expires 5 days after the registration and is in line with the initial registration time.
Is there anyway to override the Registration Grace Period?¶
No the grace period is set at 5 days and is not changeable by registrars, any transaction will have to occur after the grace period.
Why am I getting 440 Request Denied or 441 Request Blocked from the .nz Whois server?¶
Under .NZ Whois policy InternetNZ is required to protect the security of data in the Whois database from unauthorised or abusive use while as much as is practicable preserving public access to the WHOIS service.
As such the WHOIS server has a number of different rate limiting mechanisms, and when significant abuse of the WHOIS server is occurring some legitimate queries may be unintentionally blocked.
If you are an authorised .nz registrar you can:
Run your queries via the SRS or EPP protocols
Request an IP address whitelist ACL for the .nz Whois server from firstname.lastname@example.org
If you are not an authorised .nz registrar you can:
Send your Whois requests via an authorised .nz registrar
Contact email@example.com to discuss a bulk whois agreement.
How do I find out how many domains I have under my registrar ID?¶
This information is avaliable via the registrar Portal: https://registrars.internetnz.nz/transactions/growth
Alternatively an SRS registrar can use the DomainDetailsQry transaction with a CountResults parameter. eg:
<NZSRSRequest RegistrarId="90" VerMajor="1" VerMinor="0"> <DomainDetailsQry CountResults="1"/> </NZSRSRequest>
How do I get a list of domains under my registrar ID?¶
Registrars can download Domain List CSV for all their domains from the Registrars Portal at https://registrars.internetnz.nz/portfolio/domain-list from the Domain List tab https://docs.registry.internet.nz/portal/#portfolio
A registrar connecting via the SRS protocol can use the DomainDetailsQry transaction.
This transaction can bring back up to a maximum of 1500 results at a time, so the second time you run it you need to set the SkipResults parameter to bring back the next 1500 results (SkipResults=”1500”).
You can also vary the fields brought back by setting the parameters in the FieldList to 0 or 1. eg:
<NZSRSRequest RegistrarId="90" VerMajor="1" VerMinor="0"> <DomainDetailsQry MaxResults="1000" SkipResults="0"> <FieldList AdminContact="1" AuditText="1" BilledUntil="1" CancelledDate="1" ChangedByRegistrarId="1" Delegate="1" EffectiveFrom="1" LastActionId="1" LockedDate="1" NameServers="1" RegisteredDate="1" RegistrantContact="1" RegistrantRef="1" RegistrarId="1" RegistrarName="1" Status="1" TechnicalContact="1" Term="1"/> </DomainDetailsQry> </NZSRSRequest>
What is a moderated domain and who are the moderators of a moderated domain?¶
Details on moderated domains can be found here: https://dnc.org.nz/about/about-the-commission/what-we-do/moderated-second-levels/
Can a Registrar provide a UDAI when the domain is in Pending Release?¶
Yes, registrars can generate new UDAIs for both active and Pending Release names. If the domain is in Pending Release, registrars should avoid uncancelling the domain prior to generating a new UDAI.
We previously had a bug where this was not possible under EPP, however this has been fixed since July 2014
How many name servers can be specified for a domainname in .nz?¶
Registrars are allowed to specify between 0 - 10 name servers, but the domain will not be delegated unless there are at least two valid name servers.
How often do you publish changes to the .nz zone files?¶
InternetNZ publishes changes to the zone file every 15 minutes. The process to build, sign and distribute the zone files starts at the top of the hour and repeats every 15 minutes there after, and that under normal circumstances the new zone files are live on the nameservers within 10 minutes.
To clarify, nameserver changes made between 1:45 pm and 1:59 pm are included in the 2 pm zone build, which will be available on the nameservers prior to 2:10 pm.
When do I have to provide IP address glue for nameservers?¶
SRS will only keep IP ‘Glue Records’ for a nameserver if that name server is in-bailiwick, i.e. the nameservers are under the domain itself.
Sample domain: internetnztestdomain.net.nz Nameservers: - ns1.internetnztestdomain1.net.nz (Glue required, as to resolve ns1.internetnztestdomain.net.nz we would first have to resolve internetnztestdomain.net.nz) - ns2.testdomain2.net.nz (Nameserver is not self-serving, no glue required or stored by SRS) - ns3.testdomain2.net.nz (Nameserver is not self-serving, no glue required or stored by SRS)
We support both IPv4 and IPv6 glue.
What is the limit of IP addresses that can be whitelisted for access to SRS¶
InternetNZ does not apply any strict limits on the number of IP addresses for white listing, however we do expect registrars to minimise the number of addresses added.
Why is the SRS Production environment in Read Only mode?¶
The SRS test environment has recurring scheduled maintenance at the following times:
00:29 until 00:34 NZST/NZDT (5 minute window)
In addition to this the SRS environment is also placed into Read Only mode during SRS releases and other periods of scheduled maintenance.
SRS releases are normally scheduled once per month, and will be published on our status page