The Extensible Provisioning Protocol (EPP) is a flexible protocol designed for allocating objects within registries over the
Internet
The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...
. The motivation for the creation of EPP was to create a robust and flexible protocol that could provide communication between
domain name registries and
domain name registrar
A domain name registrar is a company, person, or office that manages the reservation of Internet domain names.
A domain name registrar must be accredited by a generic top-level domain (gTLD) Domain name registry, registry or a country code top-l ...
s. These transactions are required whenever a
domain name
In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority, or control. Domain names are often used to identify services provided through the Internet, such as websites, email services, and more. ...
is registered or renewed, thereby also preventing
domain hijacking. Before its introduction, registries had no uniform approach, and many different proprietary interfaces existed. While its use for domain names was the initial driver, the protocol is designed to be usable for any kind of ordering and fulfillment system.
EPP is based on
XML
Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It defines a set of rules for encoding electronic document, documents in a format that is both human-readable and Machine-r ...
- a structured, text-based format. The underlying network transport is not fixed, although the only currently specified method is over
TCP. The protocol has been designed with the flexibility to allow it to use other transports such as
BEEP,
SMTP
The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typi ...
,
SOAP
Soap is a salt (chemistry), salt of a fatty acid (sometimes other carboxylic acids) used for cleaning and lubricating products as well as other applications. In a domestic setting, soaps, specifically "toilet soaps", are surfactants usually u ...
or
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
.
However only HTTPS has seen some usage while the vast majority uses TCP.
History
The first protocol drafts were published as
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
individual submission
Internet Draft
An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
documents by Scott Hollenbeck of
Verisign
Verisign, Inc. is an American company based in Reston, Virginia, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and generic top-level d ...
in November 2000. The individual submission documents were adopted by the
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
''Provisioning Registry'' (''provreg'')
working group
A working group is a group of experts working together to achieve specified goals. Such groups are domain-specific and focus on discussion or activity around a specific subject area. The term can sometimes refer to an interdisciplinary collab ...
, which was created after a
BoF session was held at IETF-49 in December 2000. Proposed Standard documents (RFCs 3730 - 3734) were published by the
RFC Editor in March 2004. Draft Standard documents (RFCs 4930 - 4934) were published in May 2007.
In August 2009, IETF granted EPP the status of full standard as STD 69.
The first EPP extension that became a proposed standard was the redemption grace period extension from RFC 3915 in September 2004.
Since then, several different proposed standard extensions followed.
Adoption
The protocol has been adopted by a number of ccTLD domain name registries, such as:
.ac,
.ag,
.ai,
.as,
.ar,
.at
.at is the Internet country code top-level domain (ccTLD) for Austria. It is administered by nic.at.
Second-level domains
The .at top-level domain has a number of second-level domains:
However, it is also possible to register directly at the to ...
,
.au
.au is the Internet country code top-level domain (ccTLD) for Australia. It was created on 5March 1986. Domain name policy is managed by .au Domain Administration (auDA). As of July 2018, the registry is operated by Afilias.
History
The dom ...
,
.be,
.br,
.bz,
.ca,
.cat,
.cc,
.ch,
.cl,
.cn,
.co,
.cr,
.cx,
.cz,
.dk,
.dm,
.ee,
.es (over HTTPS),
.eu,
.fi,
.fm,
.fr,
.gg,
.gr (over HTTPS),
.gs,
.hn,
.ht,
.il,
.im,
.in,
.io,
.it (over HTTPS),
.je,
.ke,
.ki,
.ky,
.kz,
.la,
.lc,
.li,
.lt,
.lu,
.lv,
.md,
.me,
.mk,
.mn,
.ms,
.mu,
.mx,
.na,
.nf,
.ng,
.nl,
.no,
.nu,
.nz,
.pe,
.pk,
.pl (over HTTPS),
.ps,
.pt,
.ru,
.ro,
.sc,
.se,
.sh,
.si,
.su,
.tl,
.tm .tv,
.tw,
.ua,
.uk,
.us,
.vc,
.ve and
.za as well as
ENUM
Telephone number mapping is a system of unifying the international telephone number system of the public switched telephone network with the Internet addressing and identification name spaces. Internationally, telephone numbers are systematicall ...
registries such as those operating the +31, +41, +43, +44 and +48 country codes.
ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN ) is a global multistakeholder group and nonprofit organization headquartered in the United States responsible for coordinating the maintenance and procedures of several dat ...
has made it a condition in their base registry contract to offer an EPP service. Therefore, every
gTLD
Generic top-level domains (gTLDs) are one of the categories of top-level domains (TLDs) maintained by the Internet Assigned Numbers Authority (IANA) for use in the Domain Name System of the Internet. A top-level domain is the last level of ev ...
has adopted the protocol.
There are multiple
open source
Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...
implementations of EPP server software. The Council of Country Code Administrators (CoCCA) maintains an EPP server software used by around 59 ccTLDs and six gTLDs. Another open source software is FRED (maintained by
CZ.NIC) which counts 11 ccTLDs as its users.
Protocol commands
There are three classes of commands: Session management, query, and object transform. These commands can then be mapped onto objects, which specifies their exact functionality.
The most common standardized objects are hosts, contacts and domains.
There are also other standardized objects like organizations, however they are rarely used.
When the client connects to a server, the server immediately sends a "greeting" message to the client. This message contains information about the server that the client needs to connect to. This contains the name of the server, the server's current date and time in UTC, the supported features, and a privacy policy. The supported features include EPP versions, languages, objects, and extensions.
The session management commands are:
The query commands are:
The object transform commands are:
Example
An example command to create a domain could look like this:
example.com
1
ns1.example.net
ns2.example.net
REG-1738
ADM-9374
OTH-2567
OTH-2567
y85NS%FJ4zeKuHXo
uu28qbb2wo6o5bpk
Note that the two host objects and three different contact objects had to be created beforehand to use them and the client had to be logged in already. The
authInfo pw is a secret required in the transfer between registrars. The clTRID is a unique transaction ID for each command the client generates.
A server response to the command above could look like this:
Command completed successfully
example.com
2023-03-12T12:00:00.0Z
2024-03-12T12:00:00.0Z
uu28qbb2wo6o5bpk
ma3fuaeuh7bzpgv9
The clTRID is the same as the client sent, while the svTRID is a unique transaction ID the server generates. The server returns a result code, message, and additional result data, such as the expiration date of the newly created domain.
Extensions
The protocol offers the ability to send an extension object on almost every possible command to enable registries to add new functionality without changing the base commands.
There are a few standardized extensions that are used by a lot of registries. These include extensions for
DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System ( DNS) in Internet Protocol ( IP) networks. The protoco ...
,
IDN, premium domain names, domain restoration (
RGP)
and extensions to handle the launch of new TLDs and Registry Maintenances among other things.
Some registries also developed extensions that are specific to their TLDs. A common use case for non-standardized extensions is collecting extra data needed to create a domain, for example, a
VAT identification number
A value-added tax identification number or VAT identification number (VATIN) is an identifier used in many countries, including the countries of the European Union, for value-added tax purposes. In the EU, a VAT identification number can be verif ...
.
Result codes
All responses from the server have to follow a specified format. Each response code corresponds to a human-readable message. Codes in the format 1xxx are successful operations, while codes in the format 2xxx are errors. The errors are again divided into protocol syntax errors in the format 20xx, implementation-specific rules as 21xx, security as 22xx, data management as 23xx, server system as 24xx, and connection management as 25xx. Most results can include additional data in the resData object, for example, which required parameter is missing.
The response code 1001 enables offline processing, an example for this can be that a domain name registry wants to validate a registrant before the domain is registered. In this case, the domain is blocked for other clients until the process is complete, and the client will be notified via a poll message that the client can fetch via the poll command. The codes 1300 and 1301 are specifically for the poll command and signal whether there is a message.
The complete list of standardized result codes and result messages is:
EPP object status codes
There are two types of status codes: server and client. The difference is that all server status codes can only be set and removed by the registry, while the client status codes can also be set and removed by the registrar unless a server status code prohibits it.
The server status codes are commonly used to handle domain abuse cases, mark the domain lifecycle stage, or offer extra security against unauthorized tampering, a service often referred to as Registry-Lock.
The client status codes are commonly used also to handle abuse cases, non-payment, invalid contact data, or for a
Registrar-Lock feature.
The currently standardized server status codes are:
The currently standardized client status codes are:
Security considerations
EPP only offers plain text passwords, additionally the EPP login password type is specified to be a string of 6-16 character length
which might be considered very low for today's standards. Connections over TCP, therefore, must use
TLS, and the use of
client certificates, as well as correct identity confirmation of the client and server, is strongly encouraged.
Many domain name registries also offer to set up a
IP whitelist for connecting to their EPP servers.
EPP offers some protection against replay attacks via the client generated clTRID, however this element is optional and is therefore not used by every server software. Therefore, additional anti-replay mechanisms should be implemented by the used transport mechanism.
Related RFCs
* , ''Generic Registry-Registrar Protocol Requirements''
* , ''Extensible Provisioning Protocol (EPP)'' (obsoletes , which obsoleted )
* , ''Extensible Provisioning Protocol (EPP) Transport over TCP'' (obsoletes )
EPP Objects RFCs
* , ''Extensible Provisioning Protocol (EPP) Domain Name Mapping'' (obsoletes )
* , ''Extensible Provisioning Protocol (EPP) Host Mapping'' (obsoletes )
* , ''Extensible Provisioning Protocol (EPP) Contact Mapping'' (obsoletes )
* , ''Extensible Provisioning Protocol (EPP) Organization Mapping''
EPP Extension RFCs
* , ''Guidelines for Extending EPP''
* , ''Domain Registry Grace Period Mapping'' (e.g.
Add Grace Period,
Redemption Grace Period)
* , ''E.164 Number Mapping for the Extensible Provisioning Protocol (EPP)''
* , ''
ENUM
Telephone number mapping is a system of unifying the international telephone number system of the public switched telephone network with the Internet addressing and identification name spaces. Internationally, telephone numbers are systematicall ...
Validation Information Mapping for the Extensible Provisioning Protocol''
* , ''Domain Name System (
DNS
The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...
) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)'' (obsoletes ,
DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System ( DNS) in Internet Protocol ( IP) networks. The protoco ...
)
* , ''Launch Phase Mapping for the Extensible Provisioning Protocol (EPP)''
* , ''Allocation Token Extension for the Extensible Provisioning Protocol (EPP)''
* , ''Organization Extension for the Extensible Provisioning Protocol (EPP)''
* , ''Change Poll Extension for the Extensible Provisioning Protocol (EPP)''
* , ''Registry Fee Extension for the Extensible Provisioning Protocol (EPP)''
* , ''Login Security Extension for the Extensible Provisioning Protocol (EPP)''
* , ''Extensible Provisioning Protocol (EPP) Unhandled Namespaces''
* , ''Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer''
* , ''Registry Maintenance Notification for the Extensible Provisioning Protocol (EPP)''
See also
*
WHOIS
WHOIS (pronounced as the phrase "who is") is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomo ...
*
Registration Data Access Protocol
The Registration Data Access Protocol (RDAP) is a Computer networking, computer network communications protocol standardized by a working group at the Internet Engineering Task Force in 2015, after experimental developments and thorough discussion ...
*
ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN ) is a global multistakeholder group and nonprofit organization headquartered in the United States responsible for coordinating the maintenance and procedures of several dat ...
*
Internationalized domain name
An internationalized domain name (IDN) is an Internet domain name that contains at least one label displayed in software applications, in whole or in part, in non-Latin script or alphabet or in the Latin alphabet-based characters with diacrit ...
*
Glue record
*
RESTful Provisioning Protocol
References
{{Reflist
Domain Name System
XML-based standards
Application layer protocols