EPP Protocol: How Registrars Communicate

## What EPP Is and Why It Exists The Extensible Provisioning Protocol (EPP (Extensible Provisioning Protocol)) is the machine-to-machine language of the domain name system. Every time you register a domain through a registrar, that registrar sends EPP commands to the registry over a TLS-encrypted TCP connection. The registry processes those commands — creating the domain object, adding nameservers, managing contacts — and returns structured XML responses. EPP was developed by IETF and standardized in RFC 5730–5734. Before EPP, registrars used a variety of ad-hoc protocols and shared registry access systems with no standard interface. EPP unified the provisioning layer, enabling any accredited registrar to interact with any EPP-compliant registry using the same command set. ICANN mandates EPP compliance for all gTLD registries. Most ccTLD registries have also adopted it, though some operate proprietary interfaces. ## The EPP Session Model EPP operates over a persistent TCP connection on port 700, always encrypted with TLS. A session lifecycle looks like this: 1. **Connect**: Client establishes TLS connection. Server sends `` with server capabilities. 2. **Login**: Client sends `` with credentials. Server confirms. 3. **Command exchange**: Client sends commands; server responds to each. 4. **Logout**: Client sends ``. Connection closes. Sessions are stateful — the server maintains context for the authenticated client across commands. This is different from HTTP's stateless model and requires the client to keep the connection alive or re-authenticate for each batch of operations. ```xml registrar-id-123 secretpassword 1.0 en urn:ietf:params:xml:ns:domain-1.0 urn:ietf:params:xml:ns:contact-1.0 urn:ietf:params:xml:ns:host-1.0 ABC-12345 ``` ## Core EPP Objects EPP manages three object types: **Domain**: The domain name itself (e.g., `example.com`). Domain objects hold nameserver references, registrant and admin contact links, status flags, expiration dates, and the auth code. **Contact**: Registrant, admin, tech, and billing contacts. Each contact has a unique ID within the registry, name, postal address, phone, and email. GDPR and WHOIS privacy considerations have led many registries to relax contact data requirements or allow redaction. **Host (Nameserver)**: Host objects represent individual Nameserver hostnames. When a Nameserver is within the zone it delegates (e.g., `ns1.example.com` for `example.com`), a host object with IP address(es) must exist at the registry — these become Glue Record entries in the TLD zone. ## EPP Commands: The Full Lifecycle ``` create → info → update → transfer → delete ``` **``** — Query whether a domain name is available. Returns `avail="1"` or `avail="0"` for each queried name. Registrar front-ends use this constantly for availability searches. ```xml example.com example.net ``` **``** — Register a new domain. Must specify registrant contact, admin contact, nameservers, registration period (in years), and auth code. **``** — Retrieve full details of a domain object, including all status flags, expiration date, contacts, nameservers, and the auth code (only visible to the sponsoring registrar). **``** — Modify a domain. Can add/remove nameservers, change contacts, add/remove status flags. The update command has ``, ``, and `` sub-elements. **``** — Extend registration by a specified period (up to 10 years from current expiry). **``** — Initiate, approve, reject, cancel, or query a transfer. The transfer command requires the auth code from the current registrar. The registry enforces a 5-day pending period during which the losing registrar can explicitly approve or reject (otherwise auto-approved after 5 days). **``** — Queue a domain for deletion. The domain enters the Grace Period and then, if not restored, the redemption period before final deletion. ## The EPP Auth Code The EPP Code (Auth Code) (also called AuthCode, AuthInfo, or Transfer Secret) is a registry-generated or registrar-set password attached to a domain object. It is required to initiate an outgoing Domain Transfer. Without the auth code, no third party can move your domain to another registrar. Auth codes are visible only to the sponsoring registrar via EPP ``. Registrars expose them through their control panels, usually behind additional authentication. A code that has been used (transfer completed or failed) should be invalidated and a new one generated. ```xml sampleAuthCode123 ``` ## EPP Status Flags and What They Mean EPP defines a set of status values that control what operations are permitted on a domain object: | Status | Meaning | |---|---| | `ok` | No restrictions; normal state | | `clientTransferProhibited` | Registrar has locked transfers (common default) | | `clientUpdateProhibited` | Changes to the domain object are locked | | `clientDeleteProhibited` | Domain cannot be deleted | | `serverTransferProhibited` | Registry-level transfer lock (ICANN mandates for 60 days post-transfer) | | `pendingTransfer` | Transfer in progress | | `pendingDelete` | Domain queued for deletion (entering grace periods) | | `redemptionPeriod` | Domain in Redemption Period, restore possible | The `clientTransferProhibited` flag is what most registrars call "domain lock." Disabling it is the first step before initiating an outgoing transfer. ## EPP Extensions The "Extensible" in EPP is no accident. Registries implement custom extensions for features beyond the base RFC. Common extensions include: - **Launch Phase** (`launch-1.0`): Sunrise and landrush period management - **Fee** (`fee-0.21`): Real-time fee queries for premium domains - **DNSSEC** (`secDNS-1.1`): DS record management (the DS record that appears at the parent zone is submitted via this extension) - **RGPD**: Redemption Grace Period restore commands - **IDN** (`idn-1.0`): Internationalized domain name language tags Extensions are negotiated during login in the `` block. ## How RDAP (Registration Data Access Protocol) Relates to EPP RDAP (Registration Data Access Protocol) (Registration Data Access Protocol) is the public-facing complement to EPP. Where EPP is the private command-and-control channel between registrar and registry, RDAP is the standardized HTTP API that anyone can query to retrieve public registration data — the modern replacement for WHOIS. See RDAP: The Modern WHOIS Replacement for the full story. For the DNS Zone File and nameserver infrastructure that EPP provisions, see Zone Files: Structure and Management. WHOIS Lookup Tool