EPP

About

The 2022 registry platform has standardised on the globally adopted Extensible Provisioning Protocol (EPP).

EPP communication between the Registrar and the Registry allows the Registrar to manage domain, host and contact objects without using the web portal.

EPP is a protected service, to access the service Registrars require both an EPP account (see Portal Acconts) and TLS Client Certificate.

Registrars must ensure that EPP requests meet EPP standards as defined by the following:

• RFC 5730,

• RFC 5731,

• RFC 5732,

• RFC 5733, and,

• RFC 5734.

The registry parses all incoming requests using a validating XML parser that reads the XML and validates XML syntax before processing the request.

Transport Security

Communication to the EPP server is only possible via an authenticated encrypted mTLS connection over TCP/IP port 700.

To connect to each IRS environment you will need a single TLS Client Certificate signed by the related Intermediate Issuing CA.

• NZRS Root CA (2012)

  • InternetNZ IRS Production Issuing CA

  • InternetNZ IRS OTE Issuing CA

The EPP servers currently support connections via the following protocols.

• TLSv1.2

Note

Only one certificate will be issued per IRS environment

Client Certificates

To obtain a client certificate you will need to generate a Private key and CSR (Certificate signing request) and email registry support with only the CSR attached.

Private Key

The private key must be generated within the following constraints.

• Key Size: 4096 to 8192 bits.

• Algorithm: RSA

Warning

Your private key is your own, do not send it to registry support

CSR

The Certificate Request must be generated within the folling constraints.

• Signature: SHA256 Signature.

• Certificate Common Name (CN): environment.regid.registrarname.epp.

Note

The regid in the request is the primary registrar id, not secondary id’s

Tip

Example CN format for prod and ote for registrar id 1234 with the name yourtradingname

prod.1234.yourtradingname.epp
ote.1234.yourtradingname.epp

• The name can contain the . character

• The name cannot contain a space

• The entire CN string cannot exceed 64 characters

• The trading name can be abbreviated version of the full trading name

• The filename of the request should be the CN string with the extension .crt

InternetNZ will return a signed client certificate which you will need to use to establish an SSL connection to the respective EPP server.

IP Allowlisting

EPP has a dedicated IP Allowlist, these can only be configured by the portal.

Servers and Ports

Please reference EPP server line for the relevant environment listed below.

• OTE

Namespaces and Schemas

Namespace	Scheme	XSD extensions supported by IRS:
EPP	urn:ietf:params:xml:ns:epp-1.0	epp-1.0, eppall-1.0, and eppcom-1.0 - RFC 5730
Domain	urn:ietf:params:xml:ns:domain-1.0	domain-1.0 - RFC 5731
Host	urn:ietf:params:xml:ns:host-1.0	host-1.0 - RFC 5732
Contact	urn:ietf:params:xml:ns:contact-1.0	contact-1.0 - RFC 5733
Registry Fee Extension 0.9	urn:ietf:params:xml:ns:fee-0.9	#fee-0.9 - RFC Draft: brown-epp-fees
Registry Fee Extension 0.11	urn:ietf:params:xml:ns:fee-0.11	fee-0.11 - RFC Draft: regext-epp-fees
IDN	urn:ietf:params:xml:ns:idn-1.0	idn-1.0 - RFC Draft: eppext-idnmap
Launch Phase Mapping	urn:ietf:params:xml:ns:launch-1.0	launch-1.0 - RFC Draft: regext-launchphase
Domain Registry Grace Period	urn:ietf:params:xml:ns:rgp-1.0	rgp-1.0 - RFC 3915
DNSSEC	urn:ietf:params:xml:ns:fee-0.11	secDNS-1.1 - RFC 5910

Note

Fee 0.9 is an earlier version of the Fee extension and 0.11 is the latest version

The following are the Fury-specific custom extensions:

Namespace	Scheme	Fury extensions supported by IRS:
Fury Generic properties	urn:ietf:params:xml:ns:fury-2.0	fury 2.0 - Generic properties
Fury Registry Fee Extension		fury-rgp-1.0 - RGP