Registry Lock Extension for the
Extensible Provisioning Protocol (EPP)
The Swedish Internet Foundation
Box 92073
Stockholm
12007
SE
ulrich@wisser.se
https://www.internetstiftelsen.se
Applications and Real-Time Area
Registration Protocols Extensions
EPP
Extensible Provisioning Protocol
registrylock
registry lock
This extensions defines an additional protective layer for
changes to domain , host
and contact
objects managed
through EPP.
EPP allows changes to objects only by the sponsoring client. EPP
objects are usually managed by the sponsoring client on behalf
of the sponsoring clients customers. All of these interactions are
ususally fully automated.
In case of a system breach, there is no protection in EPP to
changes to any object by the intruder.
This extension defines a protective layer that aims to break
automated changes and work flows by requiring manual intervention.
The actual form of manual intervention is out-of-scope for this
document. By whom and how changes can be made is up to the registry and
registrars to decide.
Introduction
This extensions defines an additional protective layer for changes
to domain , host
and contact objects
managed through EPP.
EPP allows changes to objects only by the sponsoring client. EPP
objects are usually managed by the sponsoring client on behalf of
the sponsoring clients customers. All of these interactions are
ususally fully automated.
In case of a system breach, there is no protection in EPP to
changes to any object by the intruder.
This extension defines a protective layer that aims to break
automated changes and work flows by requiring manual intervention.
The actual form of manual intervention is out-of-scope for this
document. By whom and how changes can be made is up to the registry and
registrars to decide.
Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in
.
XML is case sensitive. Unless stated otherwise, XML specifications
and examples provided in this document MUST be interpreted in the
character case presented in order to develop a conforming implementation.
In examples, "C:" represents lines sent by a protocol client and
"S:" represents lines returned by a protocol server.
Indentation and white space in examples are provided only to illustrate
element relationships and are not a REQUIRED feature of this protocol.
"regLock" is used as an abbreviation for
"urn:ietf:params:xml:ns:epp:registryLock-1.0". The XML namespace
prefix "reglock" is used, but implementations MUST NOT depend on
it and instead employ a proper namespace-aware XML parser and
serializer to interpret and output the XML documents.
Object Protection
This extension provides additional protection to objects managed
by a sponsoring client on behalf of a registrant. This is
achieved by requiring additional authorization for transform
commands.
Solutions can be broadly categorized as in-band or out-of-band
authorizations. Where in-band authorizations would provide
authorization through EPP. Whereas out-of-band solutions provide
authorization by some other means.
-
either by temporarily unlocking the object for changes
-
or by authorizing pending changes after they have been
submitted to the server
Out-of-band Authorization
Out-of-band Authorization is not covered in this document.
By definition out-of-band authorization will not use EPP and
therefore is not subject of consideration here.
Registries must provide means for the registrar or registrant
to temporarily unlock the domain, to remove registry lock or
ro authorize changes submitted to the server through some means
than EPP.
In-band Authorization
Currently defined authorization schemes are not deemed
secure enough for in-band change authorization. Therefore
this document does not allow in-band authorization. This is left as
a future development once secure enough authorization schemes have
been defined.
The current defined authorization scheme is based on static
passwords. This would mean that once a password is known any change
can be made. Security here is once again dependend on the security
of all automatic systems invloved.
Command Execution Restrictions
Once an object has Registry Lock enabled all transform
commands except <renew> MUST only be executed if
a proper authorization has been made.
Otherwise the command MUST be rejected with EPP result code
2201 "Authorization error" or
1001 "Command completed successfully; action pending"
section 3
in depending on the chosen out-of-band authorization.
if the server has returned a 1001 "Command completed successfully;
action pending" answer, it MUST follow
,
,
in handling succeeded or failed commands.
The following EPP flags must be set.
- serverDeleteProhibited
- serverTransferProhibited
- serverUpdateProhibited
If the object is unlocked the flags SHOULD be cleared and
the server should answer to an <info> request with
the according information.
OPEN QUESTION: If a domain is under registry lock, can a
subordinate host be updated?
- I got one "no" answer - hosts might not be owned by
domain owner
-
In .se/.nu all subordinary hosts are automatically
owned by the
domain owner and locked if the domain is
locked.
We need more input!
If the object is temporarily unlocked only <update> commands are allowed.
<delete> and <transfer> are explicitly not allowed.
For the time of the temporary unlock the serverUpdateProhibited status
should be cleared.
Temporary Unlock
While an object is locked some situations could require a change.
To fully unlock the object would remove all protection and could not
provide any guarantee that the object is protected again after the
desired changes have been made.
Temporarily unlocking the object allows for a more fine grained
security model for all objects.
Any temporary unlocking of the object has to be time limited. After
that time has passed no further changes are possible.
Additionally the number of allowed EPP commands can be specified to
further limit the changes possible.
Registries and registrars can further limit the possibles changes,
e.g. not allowing owner changes even for temporarily unlocked Domain
objects.
IS THE LAST PARAGRAPH A GOOD IDEA? INPUT NEEDED!!!
When an object is temporarily unlocked the serverUpdateProhibited
SHOULD be cleared while changes are possible.
When either the time for the temporary unlock has passed or the
maximum amount of EPP changes has been made the object MUST return
to a fully locked status. The serverUpdateProhibited flag MUST be
set again and the infData response MUST no longer contain a
<unlockedUntil> element.
Object Attributes
Locking Status
Locking Status information indicates if the additional
protection of Registry Lock is enabled for an object.
Boolean values MUST be represented in the XML Schema format
described in Part 2 of the W3C XML Schema recommendation
.
EPP Command Mapping
A detailed description of the EPP syntax and semantics
can be found in the EPP core protocol specification
.
EPP Query Commands
EPP <check> Command
This extension does not add any elements to the
EPP <check> command or <check> response described
in the EPP mappings
,
or
.
EPP <info> Command
This extension does not add any elements to the EPP <info>
command described in the EPP domain mapping
,
host mapping or
contact mapping
However, additional elements are defined for the <info> response.
When an <info> command has been processed successfully,
the EPP <resData> element MUST contain child elements
as described in the EPP object mappings.
In addition, the EPP <extension> element SHOULD contain a child
<regLock:infData> element that identifies the extension namespace the epp
client has indicated support for the extension in the <login> command.
The <regLock:infData> element contains the following child elements:
-
Exactly one <locked> element that indicates if Registry Lock is enabled
for the object.
-
An OPTIONAL <unlockedUntil> element if the object currently can be
changed by the sponsoring client. The field indicates the time stamp when the
lock will become active again.
-
An OPTIONAL <eppCmdCount> attribute that indicates the number of EPP
<update> commands that will be executed.
Example <domain:info> Response, domain not locked
S:
S:
S:
S: Command completed successfully
S:
S:
S:
S:
S:
S:
S: 0
S:
S:
S:
S: ABC-12345
S: 54322-XYZ
S:
S:
S:
]]>
Example <domain:info> Response, domain locked
S:
S:
S:
S: Command completed successfully
S:
S:
S:
S:
S:
S:
S: 1
S:
S:
S:
S: ABC-12345
S: 54322-XYZ
S:
S:
S:
]]>
Example <domain:info> Response, domain temporary unlocked
S:
S:
S:
S: Command completed successfully
S:
S:
S:
S:
S:
S:
S: 1
S:20000101T000000+0000
S:
S:
S:
S:
S: ABC-12345
S: 54322-XYZ
S:
S:
S:
]]>
EPP <transfer> Command
This extension does not add any elements to the EPP <transfer>
command or <transfer> response described in the EPP
mapping ,
or
.
EPP Transform Commands
EPP <create> Command
This extension is intended to be used within the scope of the object
creation. It does not define a <create> command of its own.
This extension adds elements to the EPP <create> command as
described in the EPP .
When submitting a <create> command to the server, the client
MAY include in the <extension> element a
<registryLock:lock> element to create the domain in a locked
state. The extension includes the following element:
-
A <regLock:lock> element indicating that the domain MUST
be created in a locked state.
When a <create> command has been processed successfully, the EPP
response is as described in the EPP objects mappings
,
,
.
Example <host:create> command
C:
C:
C:
C:
C: ns1.example.com
C: 192.0.2.2
C: 192.0.2.29
C: 1080:0:0:0:8:800:200C:417A
C:
C:
C:
C:
C:
C: ABC-12345
C:
C:
]]>
EPP <delete> Command
This extension does not add any elements to the EPP <delete>
command or <delete> response described in the EPP
mappings ,
or
.
If the object is locked, the EPP <delete> command MUST
be rejected with EPP response code 2201 "Authorization error"
section 3.
See
EPP <renew> Command
This extension does not add any elements to the EPP <renew>
command or <renew> response described in the EPP
mappings ,
or
.
Execution of the EPP <renew> command is not restricted by this
extension.
EPP <transfer> Command
This extension does not add any elements to the EPP <transfer>
command or <transfer> response described in the EPP
mappings ,
or
.
If the object is locked, the EPP <transfer> command MUST
be rejected with EPP response code 2201 "Authorization error"
section 3.
See
EPP <update> Command
This extension adds elements to the EPP <update> command
as described in .
If the object is not locked, the <update> command can be used to
lock the object, similarly to the <create> command.
If the object is in locked state, but temporarily unlocked, the server
MUST execute the command as if the object were unlocked.
If the object is locked the server can handle <update> commands in
two ways
-
answering the command with EPP response code 1001
"Command completed successfully; action pending"
section 3
-
rejecting with EPP response code 2201 "Authorization error"
section 3
Registries can narrow down allowed changes when a domain is locked.
Registries could prohobit changes of registrant for doamins even if
the domain is temporatily unlocked or password authorization is given.
When a <update> command has been processed successfully, the EPP
response is as described in the EPP objects mappings
,
,
.
Example <domain:update> command, locking domain
C:
C:
C:
C:
C: example.com
C:
C:
C:
C:
C:
C: ABC-12345
C:
C:
]]>
Formal Syntax
One schema is presented here that is the EPP Registry Lock Extension
schema.
The formal syntax presented here is a complete schema representation
of the object mapping suitable for automated validation of EPP XML
instances. The BEGIN and END tags are not part of the schema; they
are used to note the beginning and ending of the schema for URI
registration purposes.
Registry Lock Extension Schema
Registry Lock Extension to the
Extensible Provisioning Protocol v1.0
END
]]>
IANA Considerations
XML Namespace
This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in .
The following URI assignment is requested of IANA:
Registration request for the registryLock namespace:
- URI: urn:ietf:params:xml:ns:epp:registryLock-1.0
- Registrant Contact: IESG
- XML: None. Namespace URIs do not represent an XML specification.
Registration request for the registryLock XML schema:
- URI: urn:ietf:params:xml:schema:epp:registryLock-1.0
- Registrant Contact: IESG
- XML: See the "Formal Syntax" section of this document.
EPP Extension Registry
The EPP extension described in this document should be registered by
the IANA in the EPP Extension Registry described in . The
details of the registration are as follows:
Name of Extension: "Registry Lock Extension for the
Extensible Provisioning Protocol (EPP)"
Document status: Standards Track
Reference: (insert reference to RFC version of this document)
Registrant Name and Email Address: IESG, <iesg@ietf.org>
TLDs: Any
IPR Disclosure: None
Status: Active
Notes: None
Implementation Status
Note to RFC Editor: Please remove this section and the reference to
RFC 7942 before publication.
Implemented by .SE since 2019.
Security Considerations
The security properties of EPP from are
preserved.
This extensions introduces an additional security layer for changes of
objects managed through EPP. The overall security of these measures
depends on the security of the out-of-band authorization. Registries
and registrars are therefore adviced to select secure forms of
authorization.
Current EPP authorizations schemes are not secure enough to allow
in-band authorization. Registries and registrars therefore MUST not
implent in-band command authorization.
Acknowledgements
The authors wish to thank the following persons for their feedback and suggestions:
Normative References
XML Schema Part 2: Datatypes Second Edition
Change History
Change from 00 to 01
- Corrected information for the <create/> command.
- Minor fixes in wording.
- Introduces resData element.
Change from 01 to 02
- Multiple spelling errors fixed.
- Moved response from resData to extension part of the EPP response.
- Clarification of password and out-of-band usage.
- Updated XML schema and examples
- Changed security considerations for password authorization.
- Added unlockUntil to create command
- Forbid temporarily unlock for password authorization.
Change from 02 to 03
- Fix list styles for better readability
- Fix reference to W3C XML Schema
Change from 03 to 04
- Remove references to in-band authorization
- Remove special response elements
- Add command counter to temporary unlock
- Fix formatting and XML schema