EPP¶
About¶
The 2022 registry platform has standardised on the globally adopted Extensible Provisioning Protocol (EPP).
EPP communication between the Registrar and the Registry allows the Registrar to manage domain, host and contact objects without using the web portal.
EPP is a protected service, to access the service Registrars require both an EPP account (see Portal Accounts) and TLS Client Certificate.
Registrars must ensure that EPP requests meet EPP standards as defined by the following:
The registry parses all incoming requests using a validating XML parser that reads the XML and validates XML syntax before processing the request.
Transport Security¶
Communication to the EPP server is only possible via an authenticated encrypted mTLS connection over TCP/IP port 700.
To connect to each IRS environment you will need a single TLS Client Certificate signed by the related Intermediate Issuing CA.
NZRS Root CA (2012)
InternetNZ IRS Production Issuing CA
InternetNZ IRS OTE Issuing CA
The EPP servers currently support connections via the following protocols.
TLSv1.2
Note
Only one certificate will be issued per IRS environment
Client Certificates¶
To obtain a client certificate you will need to generate a Private key and CSR (Certificate signing request) and email registry support with only the CSR attached.
Private Key
The private key must be generated within the following constraints.
Key Size: 4096 to 8192 bits.
Algorithm: RSA
Warning
Your private key is your own, do not send it to registry support
CSR
The Certificate Request must be generated within the folling constraints.
Signature: SHA256 Signature.
Certificate Common Name (CN): environment.regid.registrarname.epp.
Note
The regid in the request is the primary registrar id, not secondary id’s
Tip
Example CN format for prod and ote for registrar id 1234 with the name yourtradingname
prod.1234.yourtradingname.epp
ote.1234.yourtradingname.epp
The name can contain the
.characterThe name cannot contain a space
The entire CN string cannot exceed 64 characters
The trading name can be abbreviated version of the full trading name
The filename of the request should be the CN string with the extension
.crt
InternetNZ will return a signed client certificate which you will need to use to establish an SSL connection to the respective EPP server.
IP Allowlisting¶
EPP has a dedicated IP Allowlist, these can only be configured by the portal.
Servers and Ports¶
Interface |
Server/URL |
IP |
Port |
TCP/UDP: |
Description |
|---|---|---|---|---|---|
Portal |
103.70.24.0 |
443 |
TCP |
HTTP over TLS |
|
EPP |
epp.irs.net.nz |
103.70.24.1 |
700 |
TCP |
EPP over mTLS |
TBR |
tbr.irs.net.nz |
103.70.24.2 |
700 |
TCP |
TBR over mTLS |
WHOIS |
whois.irs.net.nz |
103.70.24.3 |
43 |
TCP |
WHOIS |
Namespaces and Schemas¶
Namespace |
Scheme |
XSD extensions supported by IRS: |
|---|---|---|
EPP |
epp-1.0, eppall-1.0, and eppcom-1.0 - RFC 5730 |
|
Domain |
domain-1.0 - RFC 5731 |
|
Host |
host-1.0 - RFC 5732 |
|
Contact |
contact-1.0 - RFC 5733 |
|
Registry Fee Extension 0.9 |
#fee-0.9 - RFC Draft: brown-epp-fees |
|
Registry Fee Extension 0.11 |
fee-0.11 - RFC Draft: regext-epp-fees |
|
IDN |
idn-1.0 - RFC Draft: eppext-idnmap |
|
Launch Phase Mapping |
launch-1.0 - RFC Draft: regext-launchphase |
|
Domain Registry Grace Period |
rgp-1.0 - RFC 3915 |
|
DNSSEC |
secDNS-1.1 - RFC 5910 |
Note
Fee 0.9 is an earlier version of the Fee extension and 0.11 is the latest version
The following are the Fury-specific custom extensions:
Namespace |
Scheme |
Fury extensions supported by IRS: |
|---|---|---|
Fury Generic properties |
fury 2.0 - Generic properties |
|
Fury Registry Fee Extension |
fury-rgp-1.0 - RGP |