EPP

About

The 2022 registry platform has standardised on the globally adopted Extensible Provisioning Protocol (EPP).

EPP communication between the Registrar and the Registry allows the Registrar to manage domain, host and contact objects without using the web portal.

EPP is a protected service, to access the service Registrars require both an EPP account (see Portal Acconts) and TLS Client Certificate.

Registrars must ensure that EPP requests meet EPP standards as defined by the following:

The registry parses all incoming requests using a validating XML parser that reads the XML and validates XML syntax before processing the request.

Transport Security

Communication to the EPP server is only possible via an authenticated encrypted mTLS connection over TCP/IP port 700.

To connect to each IRS environment you will need a single TLS Client Certificate signed by the related Intermediate Issuing CA.

  • NZRS Root CA (2012)

    • InternetNZ IRS Production Issuing CA

    • InternetNZ IRS OTE Issuing CA

The EPP servers currently support connections via the following protocols.

  • TLSv1.2

Note

Only one certificate will be issued per IRS environment

Client Certificates

To obtain a client certificate you will need to generate a Private key and CSR (Certificate signing request) and email registry support with only the CSR attached.

Private Key

The private key must be generated within the following constraints.

  • Key Size: 4096 to 8192 bits.

  • Algorithm: RSA

Warning

Your private key is your own, do not send it to registry support

CSR

The Certificate Request must be generated within the folling constraints.

  • Signature: SHA256 Signature.

  • Certificate Common Name (CN): environment.regid.registrarname.epp.

Note

The regid in the request is the primary registrar id, not secondary id’s

Tip

Example CN format for prod and ote for registrar id 1234 with the name yourtradingname

prod.1234.yourtradingname.epp
ote.1234.yourtradingname.epp
  • The name can contain the . character

  • The name cannot contain a space

  • The entire CN string cannot exceed 64 characters

  • The trading name can be abbreviated version of the full trading name

  • The filename of the request should be the CN string with the extension .crt

InternetNZ will return a signed client certificate which you will need to use to establish an SSL connection to the respective EPP server.

IP Allowlisting

EPP has a dedicated IP Allowlist, these can only be configured by the portal.

Servers and Ports

Please reference EPP server line for the relevant environment listed below.

Namespaces and Schemas

Namespace

Scheme

XSD extensions supported by IRS:

EPP

urn:ietf:params:xml:ns:epp-1.0

epp-1.0, eppall-1.0, and eppcom-1.0 - RFC 5730

Domain

urn:ietf:params:xml:ns:domain-1.0

domain-1.0 - RFC 5731

Host

urn:ietf:params:xml:ns:host-1.0

host-1.0 - RFC 5732

Contact

urn:ietf:params:xml:ns:contact-1.0

contact-1.0 - RFC 5733

Registry Fee Extension 0.9

urn:ietf:params:xml:ns:fee-0.9

#fee-0.9 - RFC Draft: brown-epp-fees

Registry Fee Extension 0.11

urn:ietf:params:xml:ns:fee-0.11

fee-0.11 - RFC Draft: regext-epp-fees

IDN

urn:ietf:params:xml:ns:idn-1.0

idn-1.0 - RFC Draft: eppext-idnmap

Launch Phase Mapping

urn:ietf:params:xml:ns:launch-1.0

launch-1.0 - RFC Draft: regext-launchphase

Domain Registry Grace Period

urn:ietf:params:xml:ns:rgp-1.0

rgp-1.0 - RFC 3915

DNSSEC

urn:ietf:params:xml:ns:fee-0.11

secDNS-1.1 - RFC 5910

Note

Fee 0.9 is an earlier version of the Fee extension and 0.11 is the latest version

The following are the Fury-specific custom extensions:

Namespace

Scheme

Fury extensions supported by IRS:

Fury Generic properties

urn:ietf:params:xml:ns:fury-2.0

fury 2.0 - Generic properties

Fury Registry Fee Extension

fury-rgp-1.0 - RGP