25 Extensible Provisioning Protocol (EPP)

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.AXISSaudi Telecom Companycentralnic.comView

Except where specified this answer refers to the operations of the Applicantʹs outsource Registry Service Provider, CentralNic.

The Extensible Provisioning Protocol (EPP) is an application layer client-server protocol for the provisioning and management of objects stored in a shared central repository. EPP defines generic object management operations and an extensible framework that maps protocol operations to objects. EPP has become established as the common protocol by which domain registrars can manage domains, nameservers and contact details held by domain registries. It is widely deployed in the gTLD and ccTLD registry space.

CentralNic has operated its EPP system since 2005, and it currently operates at significant load in terms of registrars, sessions and transaction volumes. CentralNicʹs EPP system is fully compliant with the following RFC specifications:
5730 - Base Protocol
5731 - domains
5732 - Host Objects
5733 - Contact Objects
5734 - TCP Transport
3735 - Extension Guidelines
3915 - RGP Extension
5910 - DNSSEC Extension

25.1. Description of Interface

EPP is a stateful XML protocol layered over TCP (see RFC 3734). Protected using lower-layer security protocols, clients exchange identification, authentication, and option information, and engage in a series of client-initiated command-response exchanges. All EPP commands are atomic (there is no partial success or partial failure) and designed so that they can be made idempotent (executing a command more than once has the same net effect on system state as successfully executing the command once).

EPP provides four basic service elements: service discovery, commands, responses, and an extension framework that supports definition of managed objects and the relationship of protocol requests and responses to those objects.

EPP servers respond to client-initiated communication (which can be either a lower-layer connection request or an EPP service discovery message) by returning a greeting to a client. The server then responds to each EPP command with a coordinated response that describes the results of processing the command.

EPP commands fall into three categories: session management, queries, and transform commands. Session management commands are used to establish and end persistent sessions with an EPP server. Query commands perform read-only object information retrieval operations. Transform commands perform read-write object management operations.

Commands are processed by a server in the order they are received from a client. The protocol includes features that allow for offline review of transform commands before the requested action is completed. In such situations, the response clearly notes that the command has been received but that the requested action is pending. The corresponding object then reflects processing of the pending action. The server will also notify the client when offline processing of the action has been completed. Object mappings describe standard formats for notices that describe completion of offline processing.
EPP uses XML namespaces to provide an extensible object management framework and to identify schemas required for XML instance parsing and validation. These namespaces and schema definitions are used to identify both the base protocol schema and the schemas for managed objects.

25.1.1. Objects supported

Registrars may create and manage the following object types in the CentralNic EPP system:
domains (RFC 5731)
host objects (RFC 5732)
contact objects (RFC 5733)

25.1.2. Commands supported

CentralNic supports the following EPP commands:
“hello” - retrieve the “greeting” from the server
“login” and “logout” - session management
“poll” - message queue management
“check” - availability check
“info” - object information
“create” - create object
“update” - update object
“renew” - renew object
“delete” - delete object
“transfer” - manage object transfer

25.2. EPP state diagram

Figure 25.1 describes the state machine for the EPP system. Clients establish a connection with the server, which sends a greeting. Clients then authenticate, and once a login session is established, submits commands and receive responses until the server closes the connection, the client sends a logout command, or a timeout is reached.

25.3. EPP Object Policies

The following policies apply to objects provisioned via the EPP system:

25.3.1. domains

1. domains must comply with the syntax described in RFC 1035 §2.3.1. Additionally, the first label of the name must be between 3 and 63 characters in length.
2. domains must have a registrant attribute which is associated with a contact object in the database.
3. domains must have an administrative contact attribute which is associated with a contact object in the database.
4. domains must have a technical contact which attribute is associated with a contact object in the database.
5. domains may have an billing contact attribute which is associated with a contact object in the database.
6. domains may have between 0 (zero) and 13 DNS servers. A domain with no name servers will not resolve and no records will be published in the DNS
7. the host object model for domains is used rather than the host attribute model.
8. domains may have a number of status codes. The presence of certain status codes indicates the domainʹs position in the lifecycle, described further in §27.
9. where policy requires, the server may respond to a “domain:create” command with an ʺObject Pendingʺ (1001) response. When this occurs, the domain is placed onto the pendingCreate status while an out-of-band validation process takes place.
10. when registered, the expiry date of a domain may be set up to ten years from the initial date of registration. Registrars can specify registration periods in one-year increments from one to ten.
11. when renewed, the expiry date of a domain may be set up to ten years from the current expiry date. Registrars can specify renewal periods in one-year increments from one to ten. domains which auto-renew are renewed for one year at a time.
12. domains must have an authInfo code which is used to authenticate inter-registrar transfer requests. This authInfo code may contain up to 48 bytes of UTF-8 character data.
13. domains may have one or more DS records associated with them. DS records are managed via the secDNS EPP extension, as specified in RFC 5910.
14. only the sponsoring registrar of the domain may submit “update”, “renew” or “delete” commands for the domain.

25.3.2. Host objects

1. host names must comply with RFC 1035. The maximum length of the host name may not exceed 255 characters.
2. in-bailiwick hosts must have an IPv4 address. They may optionally have an IPv6 address.
3. multiple IP addresses are not currently permitted.
4. sponsorship of hosts is determined as follows: if an object is in-bailwick (ie child of a domain in the database, and therefore also child to a TLD in the system), then the sponsor is the sponsor of the parent domain. If the object is out-of-bailiwick, the sponsor is the registrar which created the contact.
5. if a registrar submits a change to the name of a host object, if the new host name is subordinate to an in-bailiwick domain, then that registrar must be the sponsor of the new parent domain.
6. registrars are not permitted to create hosts that are subordinate to a non-existent in-bailiwick domain, or to change the name of a host object so that it us subordinate to a non-existent in-bailiwick domain.
7. a host cannot be deleted if one or more domains are delegated to it (the registry deletes hosts to remove orphan glue, see §28).
8. inter-registrar transfers are not permitted.
9. only the sponsoring registrar of the host may submit “update” or “delete” commands for the object.

25.3.3. Contact objects

1. contact IDs may only contain characters from the set [A-Z, 0-9, . (period), - (hyphen) and - (underscore)] and are case-insensitive.
2. phone numbers and email addresses must be valid as described in RFC 5733 §2.5 and §2.6.
3. contact information is accepted and stored in ʺinternationalizedʺ format only: that is, contact objects only have a single “contact:postalInfo” element and the type attribute is always ʺintʺ.
4. the “contact:org”, “contact:sp”, “contact:pc”, “contact:phone” and “contact:fax” elements are optional.
5. contacts must have an authInfo code which is used in inter-registrar transfers. This code may contain up to 48 bytes of UTF-8 character data.
6. a contact cannot be deleted if one or more domains are associated with it.
7. only the sponsoring registrar of the contact may submit “update” or “delete” commands for the object.

25.4. EPP Extensions

CentralNic supports the following EPP extensions. CentralNicʹs implementations fully comply with the required specifications.

25.4.1. Registry Grace Period Mapping

Various grace periods and hold periods are supported by the Registry Grace Period mapping, as defined in RFC 3915. This is described further in §27.

25.4.2. DNSSEC Security Extensions Mapping

Registrars may submit Delegation Signer (DS) record information for domains under their sponsorship. This permits the establishment of a secure chain-of-trust for DNSSEC validation.

CentralNic supports the specification defined in RFC 5910. This supports two interfaces: the DS Data Interface and Key Data Interface. CentralNic supports the former interface (DS Data), where registrars submit the keytag, algorithm, digest type and digest for DS records as XML elements, rather than as key data. Key data is stored if provided as a child element of the “secDNS:dsData” element. The maxSigLife element is optional in the specification and is not currently supported.

25.4.3. Launch Phase Extension

CentralNic has assisted development of a standard EPP extension for registry ʺlaunch phasesʺ (ie Sunrise and Landrush periods), during which the steady-state mode of ʺfirst-come, first-servedʺ operation does not apply. This extension permits registrars to submit requests for domains with claimed rights such as a registered trademark. The extension is currently described in an Internet-Draft (see http:⁄⁄tools.ietf.org⁄html⁄draft-tan-epp-launchphase-00). It is hoped that this draft will eventually be published as an RFC which can be implemented by other registries and registrars.

CentralNicʹs system implements this extension and will support the most recent version of the draft during the initial launch of the TLD. Once the TLD enters General Availability, this extension will no longer be available for use by registrars. Example frames describing the use of this extension are included in Appendix 25.2. As of writing, the current draft does not include a full schema definition, but a schema from a previous version has been included in Appendix 25.3. When the Draft is updated to include a schema, it will be based on this version.

25.5. Registrar Credentials and Access Control

Registrars are issued with a username (their registrar ID) and a password. This password cannot be used to access any other service and only this password can be used to access the EPP system. Registrar officers with the ʺManagementʺ access level can change their EPP password via the Registrar Console.

RFC 5730 requires ʺmutual, strong client-server authenticationʺ. CentralNic requires that all registrars connect using an SSL certificate. This certificate may be obtained from a recognised certificate authority, or it may be a self-signed certificate registered with CentralNic via the Registrar Console. Registrar officers with the ʺManagementʺ access level can upload SSL certificates for their account.

25.6. Session Limits and Transaction Volumes

There are no limits on the number of active sessions a registrar can maintain with the server. Similarly, there are no limits on the volume of transactions a registrar may send. However the system is fully capable of imposing connection limits and this measure may be used in future to ensure equal access amongst registrars.

25.7. Transaction Logging and Reporting

All ʺtransformʺ commands are logged. Transform commands are: “create”, “renew”, “update”, “delete” and “transfer”. The system logs the time and date when the command was received, the registrar which submitted it, the request and response frames, the result code and message. All commands, whether successful or not, are logged.

The transaction log is stored in the primary registry database. Registrars have access to the log for their account via the Registrar Console. The log viewer permits filtering by command, object type, object ID (domain, host name, contact ID), result code and timestamp.

Query commands (“check”, “info”, “poll op=ʺreqʺ“) and session commands (“login”, “logout” and “hello”) are not logged due to the large volume of such queries (particularly “check” queries). The EPP system uses counters for these commands to facilitate generation of monthly reports.

25.8. EPP Message Queue

The EPP protocol provides a message queue to provide registrars with notifications for out-of-band events. CentralNic currently supports the following EPP message notifications:
approved inbound transfer
rejected inbound transfer
new outbound transfer
cancelled outbound transfer
approved or rejected domain registration request (where TLD policy requires out-of-band approval of “domain:create” requests)

25.9. Registrar Support, Software Toolkit

CentralNic has supported EPP for many years. CentralNic has released a number of open source client libraries for several popular programming languages. These are used by registrars and registries around the world. CentralNic maintains the following open source EPP libraries:
Net::EPP, a general purpose EPP library for Perl. See http:⁄⁄code.google.com⁄p⁄perl-net-epp⁄
Preppi, a graphical EPP client written in Perl. See https:⁄⁄www.centralnic.com⁄company⁄labs⁄preppi
Net_EPP, a PHP client class for EPP. See https:⁄⁄github.com⁄centralnic⁄php-epp
Simpleepp, a Python client class for EPP. See https:⁄⁄bitbucket.org⁄milosn⁄simpleepp
tx-epp-proxy, a EPP reverse proxy for shared-nothing client architectures written in Python. See https:⁄⁄bitbucket.org⁄milosn⁄tx-epp-proxy

These libraries are available for anyone to use, at no cost. CentralNic develops these libraries, and accepts submissions and bug reports from users around the world.

25.10. Quality Assurance, RFC Compliance

To ensure that its EPP system fully complies with the relevant specifications documents, CentralNic has implemented the following:

25.10.1. Schema Validation

The EPP system automatically validates all response frames against the XSD schema definitions provided in the RFCs. Should a non-validating response be sent to a registrar, an alert is raised with the NOC to be investigated and corrected. By default, this feature is disabled in the production environment but it is enabled in all other environments (as described below).

25.10.2. Multi-stage Deployment and Testing

EPP system code is developed, tested and deployed in a multi-stage environment:
1. Developers maintain their own development environment in which new code is written and changes are prepared. Development environments are configured with the highest level of debugging and strictness to provide early detection of faults.
2. All changes to the EPP system are subjected to peer review: other developers in the team must review, test and sign off the changes before being committed (or, if developed on a branch, being merged into the stable branch).
3. Changes to EPP system code are then deployed in the OT&E environment. Registrars continually test this system as part of their own QA processes, and this additional phase provides an additional level of quality assurance.

25.10.3. Registrar Feedback

Registrars are provided with an easy way to report issues with the EPP system, and many perform schema validation on the responses they receive. When issues are detected by registrars, they are encouraged to submit bug reports so that developers can rectify the issues.

25.11. EPP System Resourcing

As can be seen in the Resourcing Matrix found in Appendix 23.2, CentralNic will maintain a team of full-time developers and engineers which will contribute to the development and maintenance of this aspect of the registry system. These developers and engineers will not work on specific subsystems full-time, but a certain percentage of their time will be dedicated to each area. The total HR resource dedicated to this area is equivalent to more than one full-time person.

CentralNic operates a shared registry environment where multiple registry zones (such as CentralNicʹs domains, the .LA ccTLD, this TLD and other gTLDs) share a common infrastructure and resources. Since the TLD will be operated in an identical manner to these other registries, and on the same infrastructure, then the TLD will benefit from an economy of scale with regards to access to CentralNicʹs resources.

CentralNicʹs resourcing model assumes that the ʺdedicatedʺ resourcing required for the TLD (ie, that required to deal with issues related specifically to the TLD and not to general issues with the system as a whole) will be equal to the proportion of the overall registry system that the TLD will use. After three years of operation, the optimistic projection for the TLD states that there will be 1000 domains in the zone. CentralNic has calculated that, if all its TLD clients are successful in their applications, and all meet their optimistic projections after three years, its registry system will be required to support up to 4.5 million domain names. Therefore the TLD will require less than 0.1% of the total resources available for this area of the registry system.

In the event that registration volumes exceed this figure, CentralNic will proactively increase the size of the Technical Operations, Technical Development and support teams to ensure that the needs of the TLD are fully met. Revenues from the additional registration volumes will fund the salaries of these new hires. Nevertheless, CentralNic is confident that the staffing outlined above is sufficient to meet the needs of the TLD for at least the first 18 months of operation.

Similar gTLD applications: (59)

gTLDFull Legal NameE-mail suffixzDetail
.STCGROUPSaudi Telecom Companycentralnic.com-3.34Compare
.qtelQatar Telecom (Qtel)centralnic.com-3.34Compare
.MOZAICQatar Telecom (Qtel)centralnic.com-3.34Compare
.VIVASaudi Telecom Companycentralnic.com-3.34Compare
.STCSaudi Telecom Companycentralnic.com-3.34Compare
.OBSERVERGuardian News and Media Limitedcentralnic.com-3.33Compare
.GUARDIANMEDIAGuardian News and Media Limitedcentralnic.com-3.33Compare
.THEGUARDIANGuardian News and Media Limitedcentralnic.com-3.33Compare
.GDNGuardian News and Media Limitedcentralnic.com-3.33Compare
.GUARDIANGuardian News and Media Limitedguardian.co.uk-3.33Compare
.REITNational Association of Real Estate Investment Trusts, Inc.nareit.com-3.33Compare
.kfhKuwait Finance Housecentralnic.com-3.33Compare
.موزايكQatar Telecom (Qtel)centralnic.com-3.33Compare
.BARPunto 2012 Sociedad Anonima de Capital Variablecentralnic.com-3.33Compare
.RESTPunto 2012 Sociedad Anonima de Capital Variablecentralnic.com-3.33Compare
.بيتكKuwait Finance Housecentralnic.com-3.33Compare
.CAFEPunto 2012 Sociedad Anonima de Capital Variablecentralnic.com-3.33Compare
.vipVipspace Enterprises LLCgooglemail.com-3.33Compare
.nowXYZ.COM LLCxyz.com-3.33Compare
.xyzXYZ.COM LLCxyz.com-3.33Compare
.collegeXYZ.COM LLCxyz.com-3.33Compare
.كيوتلQatar Telecom (Qtel)centralnic.com-3.26Compare
.realtyFegistry, LLCfegistry.com-3.23Compare
.golfFegistry, LLCfegistry.com-3.23Compare
.hotelFegistry, LLCfegistry.com-3.23Compare
.autoFegistry, LLCfegistry.com-3.23Compare
.ForumFegistry, LLCfegistry.com-3.23Compare
.ChatTop Level Spectrum, Inc.topspectrum.com-3.23Compare
.sucksTop Level Spectrum, Inc.topspectrum.com-3.23Compare
.pidTop Level Spectrum, Inc.topspectrum.com-3.23Compare
.feedbackTop Level Spectrum, Inc.topspectrum.com-3.23Compare
.schoolFegistry, LLCfegistry.com-3.23Compare
.mailWhitePages TLD LLCwhitepages.com-3.23Compare
.contactTop Level Spectrum, Inc.topspectrum.com-3.23Compare
.gayTop Level Design, LLCgmail.com-3.23Compare
.styleTop Level Design, LLCgmail.com-3.23Compare
.photographyTop Level Design, LLCgmail.com-3.23Compare
.designTop Level Design, LLCgmail.com-3.23Compare
.artTop Level Design, LLCgmail.com-3.23Compare
.inkTop Level Design, LLCgmail.com-3.23Compare
.groupTop Level Design, LLCgmail.com-3.23Compare
.wikiTop Level Design, LLCgmail.com-3.23Compare
.blogTop Level Design, LLCgmail.com-3.23Compare
.llcTop Level Design, LLCgmail.com-3.23Compare
.dotafricaDotConnectAfrica Trustyahoo.com-3.21Compare
.lawMerchant Law Group LLPmerchantlaw.com-3.21Compare
.appMerchant Law Group LLPmerchantlaw.com-3.21Compare
.blogMerchant Law Group LLPmerchantlaw.com-3.21Compare
.homeMerchant Law Group LLPmerchantlaw.com-3.21Compare
.loveMerchant Law Group LLPmerchantlaw.com-3.21Compare
.artMerchant Law Group LLPmerchantlaw.com-3.21Compare
.newsMerchant Law Group LLPmerchantlaw.com-3.2Compare
.clubMerchant Law Group LLPmerchantlaw.com-3.2Compare
.WMEWilliam Morris Endeavor Entertainment, LLCwmeentertainment.com-3.14Compare
.etisalatEmirates Telecommunications Corporation (trading as Etisalat)centralnic.com-3.06Compare
.اتصالاتEmirates Telecommunications Corporation (trading as Etisalat)centralnic.com-3.01Compare
.place1589757 Alberta Ltd.semantic.net-2.95Compare
.PIZZAAsiamix Digital Limitedvlad.tel-2.94Compare
.FANSAsiamix Digital Limitedvlad.tel-2.94Compare