EPP Protocol

How do I generate a new UDAI in EPP?

If a new UDAI is requested by the registrant a simple <domain:update> command can be sent with a <domain:chg> element and an <domain:authinfo> child element with an empty <domain:pw> element. This will trigger an update of the UDAI, for example:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <update>
      <domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>nzrs.net.nz</domain:name>
        <domain:chg>
          <domain:authInfo>
            <domain:pw></domain:pw>
          </domain:authInfo>
        </domain:chg>
      </domain:update>
    </update>
  </command>
</epp>

The new UDAI is returned in a service message which can be retrieved by running a poll command.

Why can't I retrieve a domain:pw using domain:info?

In .nz a domain:info command will not return the current domain password. This is a side effect of how we store the domain password/UDAI.

The SRS system was designed around the expectation that should a domain password/UDAI code be misplaced then a new code would be generated upon request rather than returning the existing password/UDAI.

In this situation the most sensible design from a security perspective was for us to store the domain passwords/UDAI codes using salted cryptographically secure hashes/one-way encryption as per best practices for storing passwords. This means we are unable to return the original password.

Why can't I set my own domain:pw on a domain?

Under existing .nz systems and policies the registry is responsible for the system-generated UDAIs and we have no provision to allow a registrar to set a UDAI even if this UDAI would meet our UDAI generation criteria.

We are currently reviewing these implementation details alongside DNC's policy review and may change this in the future.

How do I set nameserver IP glue in .nz EPP?

You will need to make calls to domain:update with domain:rem and domain:add elements for the domain:ns records you need to update. Each nameserver can have two domain:hostAddr glue records, one for ipv4 and one for ipv6.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <update>
      <domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>exampledomain.ac.nz</domain:name>
        <domain:add>
          <domain:ns>
            <domain:hostAttr>
              <domain:hostName>ns2.exampledomain.ac.nz</domain:hostName>
              <domain:hostAddr ip="v4">1.2.3.4</domain:hostAddr>
              <domain:hostAddr ip="v6">1080:0:0:0:8:800:200C:417A</domain:hostAddr>
            </domain:hostAttr>
          </domain:ns>
        </domain:add>
      </domain:update>
    </update>
    <clTRID>updatedomain-2014-06-24-example</clTRID>
  </command>
</epp>

As a quick reminder the glue is only used if the nameservers for the domain are "in-bailiwick" (i.e. the nameservers for a domain are under the domain itself). If you provide glue for nameservers which are not in-bailiwick then this will be silently dropped by SRS.