<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.8) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

<!ENTITY RFC5731 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5731.xml">
<!ENTITY RFC2119 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC8174 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC5730 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5730.xml">
<!ENTITY RFC5733 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5733.xml">
]>


<rfc ipr="trust200902" docName="draft-skoglund-epp-registry-lock-00" category="std" consensus="true">
  <front>
    <title abbrev="EPP Registry Lock">Registry Lock Extension for the Extensible Provisioning Protocol (EPP)</title>

    <author initials="E." surname="Skoglund" fullname="Eric Skoglund">
      <organization>The Swedish Internet Foundation</organization>
      <address>
        <email>eric.skoglund@internetstiftelsen.se</email>
      </address>
    </author>
    <author initials="S." surname="Kämpf" fullname="Sascha Kämpf">
      <organization>DENIC</organization>
      <address>
        <email>kaempf@denic.de</email>
      </address>
    </author>

    <date />

    
    
    

    <abstract>


<?line 25?>

<t>This document describes an Extensible Provisioning Protocol (EPP) extension
for setting and managing a registry lock on a domain object.</t>

<t>TO BE REMOVED: This document is being collaborated on in Github at:
<eref target="https://github.com/EricIO/draft-regext-epp-registry-lock">https://github.com/EricIO/draft-regext-epp-registry-lock</eref>.
The most recent working version of the document, open issues, etc. should all be
available there.  The authors (gratefully) accept pull requests.</t>



    </abstract>



  </front>

  <middle>


<?line 35?>

<section anchor="introduction"><name>Introduction</name>

<t>A registry lock secures a domain from any unauthorized changes to it on the
registry level as opposed to the registrar level.  It is targeted primarily at
high value, business critical domains, where holders value the benefits of the
increased security of business-critical domains over the risks of unauthorized
or unwanted changes to their domains.</t>

<t>This document describes an EPP extension to the domain object mapping (<xref target="RFC5731"/>)
that allows a sponsoring client to manage registry locked domains automatically.</t>

<section anchor="conventions-used-in-this-document"><name>Conventions Used in  This Document</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>

<t>In this document's examples, "C:" represents lines sent by a protocol
client and "S:" represents lines returned by a protocol server.
Indentation and white space in these examples are provided only to
illustrate element relationships and are not required features of
this protocol.</t>

</section>
<section anchor="registry-lock"><name>Registry Lock</name>

<t>Many registries provide registrants for a way to add protection to their
domains by locking them at the registry level.  By locking a domain a
registrant ensures that any changes (except for renewing the domain) are
verified by the registry before going into effect.  As of yet there have
been no standardized process for for a registry lock and registries that
provide it have come up with different processes, most including some
level of manual intervention.</t>

<t>While a domain that has registry lock enabled on it needs authorization
for any changes made to it a registry MAY allow changes bypassing the
authorization via automated DNSSEC provisioning, for example using
a CDSS/CSYNC scanner.</t>

<t>The removal of a registry lock is a manual, operational procedure and
is not coveredd in this specification.</t>

<t>In this document, we define an EPP extension that enables registries and
registrars to further automate the registry lock process.</t>

<section anchor="registry-lock-contact"><name>Registry Lock Contact</name>

<t>A registry lock contact is a contact connected to a domain object that
is able to authorize changes to the object. A domain MAY have multiple
registry lock contacts, in which case changes MAY need to be authorized
by multiple registry lock contacts. A server MAY restrict the maximum
number of registry lock contacts connected to a domain.</t>

</section>
<section anchor="status-values-for-locked-domains"><name>Status Values for Locked Domains</name>

<t>Once a registry lock has been applied on a domain object the object
MUST have the serverDeleteProhibited status value set on it.</t>

<t>While a transform request is pending authorization, the serverPendingUpdate
status MUST be set on the domain.</t>

</section>
<section anchor="adding-a-registry-lock-to-a-domain"><name>Adding a registry lock to a domain</name>

<t>When a registry lock is set on a domain a server MUST respond with a result
code oc 1001 as defined in section 3 of <xref target="RFC5730"/>. A server must then
await for authorization as set out by the registry lock contact parameters
provided. If the command is authorized within the specified deadline a
server MUST send a poll message indicating the successfull transform.</t>

<t>Example poll message indicating success:</t>

<figure><artwork><![CDATA[
S:<?xml version="1.0" encoding="UTF-8"?>
S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S:   <response>
S:      <result code="1301">
S:         <msg lang="en-US">
S:             Command completed successfully; ack to dequeue
S:         </msg>
S:      </result>
S:      <msgQ id="201" count="1">
S:         <qDate>2013-10-22T14:25:57.0Z</qDate>
S:         <msg>Setting registry lock on domain succeeded.</msg>
S:      </msgQ>
S:    <resData>
S:      <regLock:infData xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
S:        <regLock:domain>example.com</regLock:domain>
S:        <regLock:operation success="true">update</regLock:operation>
S:        <regLock:svTRID>12345-XYZ</regLock:svTRID>
S:        <regLock:approvedBy>
S:          <regLock:contact>
S:             <regLock:id>rl01</regLock:id>
S:          </regLock:contact>
S:        </regLock:approvedBy>
S:      </regLock:pollInfo>
S:    </resData>
S:    <trID>
S:      <clTRID>ABC-12345</clTRID>
S:      <svTRID>54321-XYZ</svTRID>
S:    </trID>
S:   </response>
S:</epp>
]]></artwork></figure>

<t>If a transform is not authorized within the deadline a server MUST send
a poll message indicating the failure of the transform.</t>

<t>Example poll message indicating failure:</t>

<figure><artwork><![CDATA[
S:<?xml version="1.0" encoding="UTF-8"?>
S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S:   <response>
S:      <result code="1301">
S:         <msg lang="en-US">
S:             Command completed successfully; ack to dequeue
S:         </msg>
S:      </result>
S:      <msgQ id="201" count="1">
S:         <qDate>2013-10-22T14:25:57.0Z</qDate>
S:         <msg>Update of locked domain failed.</msg>
S:      </msgQ>
S:    <resData>
S:      <regLock:infData xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
S:        <regLock:domain>example.com</regLock:domain>
S:        <regLock:operation success="false">update</regLock:operation>
S:        <regLock:svTRID>12345-XYZ</regLock:svTRID>
S:        </regLock:approvedBy>
S:      </regLock:pollInfo>
S:    </resData>
S:    <trID>
S:      <clTRID>ABC-12345</clTRID>
S:      <svTRID>54321-XYZ</svTRID>
S:    </trID>
S:   </response>
S:</epp>
]]></artwork></figure>

</section>
<section anchor="handling-changes-to-an-associated-contact-object"><name>Handling changes to an associated contact object</name>

<t>Updates to a contact object that is associated as a registry lock contact for
a domain object MUST be rejected. If an update command for a contact object
associated with a locked domain is processed successfully, a server MUST respond
with a result code of 2305 as defined in section 3  of <xref target="RFC5730"/>.</t>

</section>
<section anchor="handling-changes-to-a-locked-domain"><name>Handling changes to a locked domain</name>

<t>If an update command for a locked domain is processed successfully,
a server MUST respond with a result code of 1001 as defined in section 3
of <xref target="RFC5730"/>, to indicate that the transform is awaiting authorization
to be completed. If a transform command is authorized within the specified
deadline a server MUST send a poll message indicating the successfull transform.</t>

<t>Example poll message indicating success:</t>

<figure><artwork><![CDATA[
S:<?xml version="1.0" encoding="UTF-8"?>
S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S:   <response>
S:      <result code="1301">
S:         <msg lang="en-US">
S:             Command completed successfully; ack to dequeue
S:         </msg>
S:      </result>
S:      <msgQ id="201" count="1">
S:         <qDate>2013-10-22T14:25:57.0Z</qDate>
S:         <msg>Update of locked domain succeeded.</msg>
S:      </msgQ>
S:    <resData>
S:      <regLock:infData xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
S:        <regLock:domain>example.com</regLock:domain>
S:        <regLock:operation success="true">update</regLock:operation>
S:        <regLock:svTRID>12345-XYZ</regLock:svTRID>
S:        <regLock:approvedBy>
S:          <regLock:contact>
S:             <regLock:id>rl01</regLock:id>
S:          </regLock:contact>
S:        </regLock:approvedBy>
S:      </regLock:pollInfo>
S:    </resData>
S:    <trID>
S:      <clTRID>ABC-12345</clTRID>
S:      <svTRID>54321-XYZ</svTRID>
S:    </trID>
S:   </response>
S:</epp>
]]></artwork></figure>

<t>If a transform is not authorized within the deadline a server MUST send
a poll message indicating the failure of the transform.</t>

<t>Example poll message indicating failure:</t>

<figure><artwork><![CDATA[
S:<?xml version="1.0" encoding="UTF-8"?>
S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S:   <response>
S:      <result code="1301">
S:         <msg lang="en-US">
S:             Command completed successfully; ack to dequeue
S:         </msg>
S:      </result>
S:      <msgQ id="201" count="1">
S:         <qDate>2013-10-22T14:25:57.0Z</qDate>
S:         <msg>Update of locked domain failed.</msg>
S:      </msgQ>
S:    <resData>
S:      <regLock:infData xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
S:        <regLock:domain>example.com</regLock:domain>
S:        <regLock:operation success="false">update</regLock:operation>
S:        <regLock:svTRID>12345-XYZ</regLock:svTRID>
S:        </regLock:approvedBy>
S:      </regLock:pollInfo>
S:    </resData>
S:    <trID>
S:      <clTRID>ABC-12345</clTRID>
S:      <svTRID>54321-XYZ</svTRID>
S:    </trID>
S:   </response>
S:</epp>
]]></artwork></figure>

</section>
</section>
<section anchor="extension-elements"><name>Extension Elements</name>

<t>This extension adds additional elements to the EPP domain mapping.</t>

<section anchor="the-reglockpolicy-element"><name>The <spanx style="verb">&lt;regLock:policy&gt;</spanx> element</name>

<t>The <spanx style="verb">&lt;regLock:policy&gt;</spanx> element contains the following elements:</t>

<t><list style="symbols">
  <t>One OPTIONAL <spanx style="verb">&lt;regLock:timeout&gt;</spanx> element that contains the timeout for which
after any <spanx style="verb">&lt;domain:update&gt;</spanx> operation will fail. A server MAY restrict the allowed
values.</t>
  <t>One OPTIONAL <spanx style="verb">&lt;regLock:quorom&gt;</spanx> element that contains a positive non-zero integer
that sets the number of registy lock contacts that MUST authorize the domain
changes for it to be approved. A server MAY restrict the number of registry lock
contacts a domain object can have.</t>
</list></t>

</section>
<section anchor="the-reglockcontact-element"><name>The <spanx style="verb">&lt;regLock:contact&gt;</spanx> element</name>

<t>The <spanx style="verb">&lt;regLock:contact&gt;</spanx> element contains the following elements:</t>

<t><list style="symbols">
  <t><spanx style="verb">&lt;regLock:contactID&gt;</spanx> the contact identifier.</t>
  <t>An OPTIONAL <spanx style="verb">&lt;regLock:method&gt;</spanx> the method used by the registry lock contact to
authorize changes. A server MAY restrict the allowed values.</t>
</list></t>

<section anchor="well-known-reglockmethod-values"><name>Well known <spanx style="verb">&lt;regLock:method&gt;</spanx> values</name>

<t>A server MAY allow any value for the <spanx style="verb">&lt;regLock:method&gt;</spanx> element the following
values have a well known definition:</t>

<t><list style="symbols">
  <t>email  - The contact will receive an email with further instructions.</t>
  <t>text   - The contact will receive a text message with further instructions.</t>
  <t>letter - The contact will receive a postal letter with further instructions.</t>
  <t>phone  - The contact will receive a phone call with further instructions.</t>
  <t>token  - The contact will be provided means to send a token to the server for
         authorizing changes.</t>
</list></t>

</section>
</section>
</section>
<section anchor="epp-command-mapping"><name>EPP Command Mapping</name>

<section anchor="epp-query-commands"><name>EPP Query Commands</name>

<section anchor="epp-check-command"><name>EPP <spanx style="verb">&lt;check&gt;</spanx> Command</name>

<t>This extension does not add any elements to the EPP <spanx style="verb">&lt;check&gt;</spanx> command
or <spanx style="verb">&lt;check&gt;</spanx> response described in the EPP domain mapping <xref target="RFC5731"/>.</t>

</section>
<section anchor="epp-info-command"><name>EPP <spanx style="verb">&lt;info&gt;</spanx> Command</name>

<t>This extension does not add any elements to the EPP <spanx style="verb">&lt;info&gt;</spanx> command
described in the EPP domain mapping <xref target="RFC5731"/>.  However, additional
elements are defined for the <spanx style="verb">&lt;info&gt;</spanx> response.</t>

<t>An example <spanx style="verb">&lt;info&gt;</spanx> response for a domain object with no pending updates:</t>

<figure><artwork><![CDATA[
S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
S:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
S:  <response>
S:    <result code="1000">
S:      <msg>Command completed successfully</msg>
S:    </result>
S:    <resData>
S:      <domain:infData
S:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
S:        <domain:name>example.com</domain:name>
S:        <domain:roid>EXAMPLE1-REP</domain:roid>
S:        <domain:status s="ok"/>
S:        <domain:registrant>jd1234</domain:registrant>
S:        <domain:contact type="admin">sh8013</domain:contact>
S:        <domain:contact type="tech">sh8013</domain:contact>
S:        <domain:ns>
S:          <domain:hostObj>ns1.example.com</domain:hostObj>
S:          <domain:hostObj>ns2.example.com</domain:hostObj>
S:        </domain:ns>
S:        <domain:host>ns1.example.com</domain:host>
S:        <domain:host>ns2.example.com</domain:host>
S:        <domain:clID>ClientX</domain:clID>
S:        <domain:crID>ClientY</domain:crID>
S:        <domain:crDate>1999-04-03T22:00:00.0Z</domain:crDate>
S:        <domain:upID>ClientX</domain:upID>
S:        <domain:upDate>1999-12-03T09:00:00.0Z</domain:upDate>
S:        <domain:exDate>2005-04-03T22:00:00.0Z</domain:exDate>
S:        <domain:trDate>2000-04-08T09:00:00.0Z</domain:trDate>
S:        <domain:authInfo>
S:          <domain:pw>2fooBAR</domain:pw>
S:        </domain:authInfo>
S:      </domain:infData>
S:    </resData>
S:    <extension>
S:      <regLock:infData
S:       xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
S:        <regLock:policyData>
S:          <regLock:timeout>1h</regLock:timeout>
S:          <regLock:quorom>2</reglock:quorom>
S:        </regLock:policyData>
S:        <regLock:contactData>
S:          <regLock:contact>
S:            <regLock:id>rl1001</regLock:id>
S:            <regLock:method>email</regLock:method>
S:          </regLock:contact>
S:          <regLock:contact>
S:            <regLock:id>rl1002</regLock:id>
S:            <regLock:method>email</regLock:method>
S:          </regLock:contact>
S:        </regLock:contactData>
S:      </regLock:infData>
S:    </extension>
S:    <trID>
S:      <clTRID>ABC-12345</clTRID>
S:      <svTRID>54322-XYZ</svTRID>
S:    </trID>
S:  </response>
S:</epp>
]]></artwork></figure>

<t>An example <spanx style="verb">&lt;info&gt;</spanx> response for a domain with pending updates:</t>

<figure><artwork><![CDATA[
S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
S:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
S:  <response>
S:    <result code="1000">
S:      <msg>Command completed successfully</msg>
S:    </result>
S:    <resData>
S:      <domain:infData
S:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
S:        <domain:name>example.com</domain:name>
S:        <domain:roid>EXAMPLE1-REP</domain:roid>
S:        <domain:status s="ok"/>
S:        <domain:registrant>jd1234</domain:registrant>
S:        <domain:contact type="admin">sh8013</domain:contact>
S:        <domain:contact type="tech">sh8013</domain:contact>
S:        <domain:ns>
S:          <domain:hostObj>ns1.example.com</domain:hostObj>
S:          <domain:hostObj>ns2.example.com</domain:hostObj>
S:        </domain:ns>
S:        <domain:host>ns1.example.com</domain:host>
S:        <domain:host>ns2.example.com</domain:host>
S:        <domain:clID>ClientX</domain:clID>
S:        <domain:crID>ClientY</domain:crID>
S:        <domain:crDate>1999-04-03T22:00:00.0Z</domain:crDate>
S:        <domain:upID>ClientX</domain:upID>
S:        <domain:upDate>1999-12-03T09:00:00.0Z</domain:upDate>
S:        <domain:exDate>2005-04-03T22:00:00.0Z</domain:exDate>
S:        <domain:trDate>2000-04-08T09:00:00.0Z</domain:trDate>
S:        <domain:authInfo>
S:          <domain:pw>2fooBAR</domain:pw>
S:        </domain:authInfo>
S:      </domain:infData>
S:    </resData>
S:    <extension>
S:      <regLock:infData
S:       xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
S:        <regLock:policyData>
S:          <regLock:timeout>1h</regLock:timeout>
S:          <regLock:quorom>2</reglock:quorom>
S:        </regLock:policyData>
S:        <regLock:contactData>
S:          <regLock:contact>
S:            <regLock:id>rl1001</regLock:id>
S:            <regLock:method>email</regLock:method>
S:          </regLock:contact>
S:          <regLock:contact>
S:            <regLock:id>rl1002</regLock:id>
S:            <regLock:method>email</regLock:method>
S:          </regLock:contact>
S:        </regLock:contactData>
S:        <regLock:updateData>
S:           <regLock:update>
S:             <regLock:trID>foo</regLock:trID>
S:             <regLock:contactID approved=1>rl1001</regLock:contactID>
S:             <regLock:contactID approved=0>rl1002</regLock:contactID>
S:           </regLock:update>
S:        </regLock:updateData>
S:      </regLock:infData>
S:    </extension>
S:    <trID>
S:      <clTRID>ABC-12345</clTRID>
S:      <svTRID>54322-XYZ</svTRID>
S:    </trID>
S:  </response>
S:</epp>
]]></artwork></figure>

</section>
</section>
<section anchor="epp-transfer-command"><name>EPP <spanx style="verb">&lt;transfer&gt;</spanx> Command</name>

<t>This extension does not add any elements to the EPP <spanx style="verb">&lt;transfer&gt;</spanx> command
or <spanx style="verb">&lt;transfer&gt;</spanx> responses as described in the EPP domain mapping <xref target="RFC5731"/>.</t>

</section>
<section anchor="epp-transform-commands"><name>EPP Transform Commands</name>

<t>EPP provides five commands to transform objects: <spanx style="verb">&lt;create&gt;</spanx> to create
an instance of an object, <spanx style="verb">&lt;delete&gt;</spanx> to delete an instance of an
object, <spanx style="verb">&lt;renew&gt;</spanx> to extend the validity period of an object,
<spanx style="verb">&lt;transfer&gt;</spanx> to manage object sponsorship changes, and <spanx style="verb">&lt;update&gt;</spanx> to
change information associated with an object.</t>

<section anchor="epp-create-command"><name>EPP <spanx style="verb">&lt;create&gt;</spanx> Command</name>

<t>This extension defines additional elements for the EPP <spanx style="verb">&lt;create&gt;</spanx>
command described in the EPP domain mapping <xref target="RFC5731"/>.  No additional
elements are defined for the EPP <spanx style="verb">&lt;create&gt;</spanx> response.</t>

<figure><artwork><![CDATA[
C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C:  <command>
C:    <create>
C:      <domain:create
C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C:        <domain:name>allocation.example</domain:name>
C:        <domain:registrant>jd1234</domain:registrant>
C:        <domain:contact type="admin">sh8013</domain:contact>
C:        <domain:contact type="tech">sh8013</domain:contact>
C:        <domain:authInfo>
C:          <domain:pw>2fooBAR</domain:pw>
C:        </domain:authInfo>
C:      </domain:create>
C:    </create>
C:    <extension>
C:      <regLock:create xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
C:        <regLock:policy>
C:          <regLock:timeout>1h</regLock:timeout>
C:        </regLock:policy>
C:        <regLock:contacts>
C:          <regLock:contact>
C:            <regLock:id>rc101</regLock:id>
C:            <regLock:method>email</regLock:method>
C:          </regLock:contact>
C:        </regLock:contacts>
C:      </regLock:create>
C:    </extension>
C:    <clTRID>ABC-12345</clTRID>
C:  </command>
C:</epp>
]]></artwork></figure>

</section>
<section anchor="epp-delete-command"><name>EPP <spanx style="verb">&lt;delete&gt;</spanx> Command</name>

<section anchor="domain-objects"><name>Domain Objects</name>

<t>This extension does not define any additional elements to the
EPP <spanx style="verb">&lt;delete&gt;</spanx> command or <spanx style="verb">&lt;delete&gt;</spanx> responses described in the EPP
domain mapping <xref target="RFC5731"/>.  However if a server recieves a
<spanx style="verb">&lt;delete&gt;</spanx> command for a domain object with registry lock set it
MUST be rejected.</t>

</section>
<section anchor="contact-objects"><name>Contact Objects</name>

<t>This extension does not define any additional elements to the
EPP <spanx style="verb">&lt;delete&gt;</spanx> command or <spanx style="verb">&lt;delete&gt;</spanx> responses described in the EPP
contact mapping <xref target="RFC5733"/>.  However if a server recieves a
<spanx style="verb">&lt;delete&gt;</spanx> command for a contact object associated as a registry lock
contact with a domain object it MUST be rejected.</t>

</section>
</section>
<section anchor="epp-renew-command"><name>EPP <spanx style="verb">&lt;renew&gt;</spanx> Command</name>

<t>This extension does not define any additional elements to the
EPP <spanx style="verb">&lt;renew&gt;</spanx> command or <spanx style="verb">&lt;renew&gt;</spanx> responses described in the EPP
domain mapping <xref target="RFC5731"/>.</t>

</section>
<section anchor="epp-transfer-command-1"><name>EPP <spanx style="verb">&lt;transfer&gt;</spanx> Command</name>

<t>This extension does not define any additional elements to the
EPP <spanx style="verb">&lt;transfer&gt;</spanx> command or <spanx style="verb">&lt;transfer&gt;</spanx> responses described in
the EPP domain mapping <xref target="RFC5731"/>.</t>

</section>
<section anchor="epp-update-command"><name>EPP <spanx style="verb">&lt;update&gt;</spanx> Command</name>

<t>This extension defines additional elements for the EPP <spanx style="verb">&lt;update&gt;</spanx>
command described in the EPP domain mapping <xref target="RFC5731"/>.  No additional
elements are defined for the EPP <spanx style="verb">&lt;update&gt;</spanx> response.</t>

<t>The EPP <spanx style="verb">&lt;update&gt;</spanx> command provides a transform operation that allows a
client to modify the attributes of a domain object.  In addition to
the EPP command elements described in the EPP domain mapping, the
command MUST contain an <spanx style="verb">&lt;extension&gt;</spanx> element, and the <spanx style="verb">&lt;extension&gt;</spanx>
element MUST contain a child <spanx style="verb">&lt;regLock:update&gt;</spanx> element that identifies
the extension namespace if the client wants to update the domain
object with data defined in this extension.  The <spanx style="verb">&lt;regLock:update&gt;</spanx>
element contains a <spanx style="verb">&lt;regLock:add&gt;</spanx> to add registry lock contacts to
a domain, a <spanx style="verb">&lt;regLock:rem&gt;</spanx> to remove registry lock contacts from a domain,
or a <spanx style="verb">&lt;regLock:chg&gt;</spanx> element to change policy information or a registry lock
contacts authorization method. At least one <spanx style="verb">&lt;regLock:add&gt;</spanx>, <spanx style="verb">&lt;regLock:rem&gt;</spanx>,
or <spanx style="verb">&lt;regLock:chg&gt;</spanx> element MUST be provided.</t>

<t>A <spanx style="verb">&lt;regLock:add&gt;</spanx> or <spanx style="verb">&lt;regLock:rem&gt;</spanx> MUST only contain <spanx style="verb">&lt;regLock:contact&gt;</spanx>
elements as child elements.</t>

<t>An example update command changing policy data:</t>

<figure><artwork><![CDATA[
C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
C:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
C:  <command>
C:    <update>
C:      <domain:update
C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C:        <domain:name>example.com</domain:name>
C:      </domain:update>
C:    </update>
C:    <extension>
C:      <regLock:update
C:       xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
C:        <regLock:chg>
C:          <regLock:policyData>
C:            <regLock:timeout>3h</regLock:timeout>
C:          </regLock:policyData>
C:        </regLock:chg>
C:      </regLock:update>
C:    </extension>
C:    <clTRID>ABC-12345</clTRID>
C:  </command>
C:</epp>
]]></artwork></figure>

<t>An example update command adding and removing registry lock contacts:</t>

<figure><artwork><![CDATA[
C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
C:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
C:  <command>
C:    <update>
C:      <domain:update
C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C:        <domain:name>example.com</domain:name>
C:      </domain:update>
C:    </update>
C:    <extension>
C:      <regLock:update
C:       xmlns:regLock="urn:ietf:params:xml:ns:regLock-1.0">
C:        <regLock:add>
C:          <regLock:contact>
C:            <regLock:id>rl1003</regLock:id>
C:            <regLock:method>email</regLock:method>
C:          </regLock:contact>
C:          <regLock:contact>
C:            <regLock:id>rl1004</regLock:id>
C:            <regLock:method>email</regLock:method>
C:          </regLock:contact>
C:        </regLock:add>
C:        <regLock:rem>
C:          <regLock:contact>
C:            <regLock:id>rl1001</regLock:id>
C:          </regLock:contact>
C:        </regLock:rem>
C:      </regLock:update>
C:    </extension>
C:    <clTRID>ABC-12345</clTRID>
C:  </command>
C:</epp>
]]></artwork></figure>

</section>
</section>
</section>
<section anchor="formal-syntax"><name>Formal Syntax</name>

</section>
</section>


  </middle>

  <back>



    <references title='Normative References' anchor="sec-normative-references">

&RFC5731;
&RFC2119;
&RFC8174;
&RFC5730;
&RFC5733;


    </references>





  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+1c63IbN5b+j6fA0j/WrhKvsisxR9aMTDET1ViWY8ozyWxt
lcFuUETU7GYaaNFKyvM0+yb7YnMOLt1Ad5PWpZLsztCVqqgbwMHBuX4HQLPb
7RIlVMLH9D2/ElLlt/RNFl3T6SfFUymylC6ynKold2/mCafv8uxGYKNIr/BB
ZVGW0KfTd++eETaf5/xmTOEhJEniLErZCmaKc7ZQXXmdXSVFGnf5et3Nbc9u
Aj27gwGJmBpTqWIi1vmYqryQajQYvByMSMwU0Pjl9ORy+pkQVqhllo9Jl1D4
J1IJM/fozNLWL82k01xE4fssv2Kp+JkpWMiYXsISZxseC7mkZ6niecoV/SaD
zrqDHsFXTCRjyoFUz7H/J2E7SyUWiieSpz3JfX5mPfqX//2f1XrhcTNjMloy
/33Izen07dnEn/Oacej5p5inMHfMCUmzfAWdb/iYEJEuvKdut0vZHKTJIkXI
5VJICqIvVjxVNOYyysWcS8rSO2qUcmcKBE1BcqWwE0tjumIpu9IP1CmQogIp
mA2DSYH1lGbzH3mkesDJBX09pe+n5xd/nZ6iwH3G4O85R1Iwb8LmWQ5ajpEO
UPizUMtiTsEiyH8tlVrLcb9/pd/1omzVR82eXfSNVQEfwG/Tpv776UNHPusR
tI1VJhWsMkJmN1l+jbze8Fy7SLbQHuIWc0CzNQfOpSy4PKBcRT0ql1mRxJQl
CayTsBtQKkPBw7ic96g2P2PLkj69wtUviiS5fUZZFPG1omt4gul/AopK9oyS
VyKOEzCFJ2iweRYXkbZUclLThuRRkaPKnUoWebYCBd7SIjVzip9B2GCQ6RV0
UxkVCkUPvJGKEr/hCWUS1rbOJHSHbrho24Hlpgcs5UxrU7H8iqMO17lYsVwk
t6BAshRXS3rDkoIf0HkhRcqlpGCRSkQsseyByDYoFbrMkhgkbPrryeY85Quh
pJU4GH6Uc4bc6DUKdYstjnC3TphmoDHDtZDXmoovAQLmXaQblqpQGjBA5I5G
b7dLQdQr/cWJKHAEcJr1Go3n6S+//Mf7byYvvjocfv78jKglU2ge2QYVJddZ
KoErdIhE4DRAS7sbD5ULnLrFwUIyDAKw4OQW2HzyhE6y9AYGAy+SfkAxARvG
8U4t+0Qb9zW/RaOOJe2cf5hddg7M/+nbC/33++l3H87eT0/x79m3J2/elH+Y
HgQeLj68se34VzVycnF+Pn17agbDW1p7dX7yA/wPognpXLy7PLt4e/Kmg2yq
QMgMzAEkMOdUh9t1rk0LrNFJH5dGXk/e0eFzagQ7Gg5ffv5sH74efvUcHsCu
Uj0ZmDcYpHkEFYFtrtccbBgmBulB9lkLxRKwRJgCXHeTUu2nhJzVOPtPCfpm
q3WCnt6ZjDugHuAOsgBYaYJmSPFvOocpwBVMYCVWp8hIZ9Y2BtZXQFKJw3FA
KgcL7gEXkAiUzhWayGYpFAejYRE3sgNiJV9aeGsM8DG3C1cZEUlSoN/COJ5w
LeScJ5qkXIq11HRxZJopHXhEDqMXnCkdS7IF0XJwrBl7CxM+OccYY81VcOmY
KGMGrhdzCqMbhkxRFseaIteRrPQ94kx8bowe3QIaIIYpPwbdliHoddWvDHqM
VNNScFC9DON1wKVz96f8k463yFYO0WZj57JUnqFICOhALITRTjD/nMM4Tq8y
HAWWmlG+WGD2o/REh5tbrkzIp0t2w8mcQ55IMwA6IG2WxzoOgwAiDIvIgpFO
GM5RMZ5QcQnESRYCNxKGLLritFjTDSQ7GgtgIkcNW9JoqzqfQfxMihiZlTCA
mBgPbEKkKSBsal+zAQQU/LelgIxVClTLbslkjT2eYmIzuVvRlPNYUhdjDZTS
i/JkvmIxt1nHWysEBhMPy37z2zWT0iqEBDTpjWAuAMLcp29ns+nE2JtFNQda
ltYnKGaIK8Lo5HQ2609mP7ydUBmxNEXn0hEx56sM8g4Koy5/gQHaSEhn+lxz
AH21dGOwKx3OoBu6ToQ5h8dxGdPkmkdgPRGzUq1HFMh+YG2Q5lLeklFQ5kbC
0jcCnLDMxDppLYocDa0USs1RcCHWGrTr1nwXM4fS+LEOJiLTYKTgHuD/KZi5
QQU15GcMFLtrvJOVxsBrOdYhRXriCKAJaHNeFYkSoDfSygtYM3SGGBgtaQRo
oKSL49EAberwMj04rqPZvj6JbJhwq8lAsABJRyberNgnsSpWJC1Wc2gHG2mn
0S4XK+8ZxO9C0r8iuDHO/sbk81MT7Ai5SCPesD50OB02IGMlwvhZU+JOmESn
cS1DfGkWdAoBX3FA+UsxF8icNKwYnAUA3/iu5/EYNCXWGA6CovoB4+rQETji
gTfPO9PhwxpLNmIn0QzNy2mq0GrFchLHbRWFJz9kC9ffdEtLswr5pQZxUlAh
oKrYxEQcLcECSJRB8MkiOhwMhgZQoOdpd5U2DR2ihku0Nvj82bONFSRRXERK
2IYJkzfCyMQsX4VqpIvAodYsh9IQAq500Tzu0TNTWUA4X2HYF9IzYr0Qk+1d
UEE0yFmc6NhB/MUDuIgRSUB1RVfg9AgkBagHw5DNcLKIMBxg3VEpHLQytTFz
21g7DirPf5T/yGx89MdPq8SVSK86w96gA5ELxA1jXnU+XH7T/brzx2PsCCUX
hb6pfNUB0DMWXC3GWhpyDK/HUENjUYYEsDvUxEdGlZLbZ/sK1ElRnTDZ4WDY
qRqxfSWvaMJwap52P8zCVvw3sTIGWa8TDS89gdz+AQoxbYUxOkDBA9p9IO6x
0je8eG+g/Tsq4ledEfAFMxSpAiZrHP50Cm5yDD0Ou8NBdzS6HD4fj16MX3zV
G/z9qG9a60s6ntlyvFF/WxfQa+BoSw0ukSn3jOKDCVgg0CsMSGORLrDFaGhs
327VlG33tRWSM3wd20SMZTjKK2hrG1bmWaeVVx2VF7xzXOjoUtEoO7aSkTeX
789Oj4ejw+cvut//8PdqnG1pGwSRFhySx69vQ6MpO1gXbphUJcP4OE8Gw2o2
eBGS6u+gVTW2cVK1ooOepYusVGq/ptUjlftLPIoSveaT15OulshR376pulix
vHh+OBoagYWCOup7NPWEpWMe9cFtj/2gQM4WQTKxEKk9pFWBjNYDGdkdyBZM
JIjC7LbMfWKZHbqPZb9HLDNAAdUW7GxopfwrBrAFS+SvG8H+ZQIHIsNvwaIT
vSNWlQ0M8ZXMIqHLPgelLPYlxqBMx1qjqaQQT1XDmWyASjcIwgepo2yHZHP+
o8b4Gq0BQ0afJWYzJXyNNW9WC0dDkzc7K7pWD333oB3UkgDUUgNqF3R0OHix
FdQ2UO0OMYfsmUC+ZaV3XQi5AzovF7ILnZPaOg70XoKJ6dzoOUgDWusI1hvF
CzF1Yhk1jUa9kXfH4WRH+trj8H+f3LXH3w/PXnv8vcff+xj2+8ewPf7e4+8n
3o2gqTkvlPYkvDqdYDGe9cSxsAci9mCx3ODHswxrU/YU3GJOPHH5eOSJQ0S3
xx/deHMis73dgGs8H9TRJ8NDIwwmbnq8E0MvIJK5A2aPlhIrnhXKI6YBY0DR
9tH4Vp8yEErZQnFzivXxyCxpbOwIKFWmthEQ5tB9dp0m6EMujneS9Aa87G3n
9qciy7PVVmYxLEuB14Agrqfdn3me6TO8K54Ddd1XcmUWVT+7qB9d6N464lfn
NdVmPZBz5QFKRSh3xGLtfNd6t5yaIEk3eb3UiqDYwEOMVnNxGXurvTQ63Mlg
GuPBWz7a3Xh7BIaH8Ij2c1TZSdqmsRUH4cV2oHmghWw5Og7KTZWhidXPye5g
RKUJoZye0L9xsL/rFO8vtLBk+uIRn0fVHLmiYZvjIHf9r2V8ZYSeEImhas6c
GN1UHOjaTYcGLV99sY3SrtamW7h2GLxlhTYMSjeddE3oDjRBbYA8de2nXUVB
/KG76Zg+Dm7spAbZGh17JzVwMgXRzXbdSW69zMCTv0BO98FbO19YaHbN01Za
c+9+x4qzVAdcW2maUTYAWz3jboaHVpyheUW/uc6B8dpBmXMTsI0DYsN3BQez
tc3SGhw2fDyKljy6BgOxjY08EWfcIs841qbWligqMrbqxutZ1UuXsIIbQFuy
DPWvWvUCVvHq5OM5tVQco/dmidJvwXtBNQde+iTlXHgNx+18VP5oJ3WCgHVB
CHIXHBrNdncmjKva3tKsPMo1KexBWwj2DksCtvyqk2b3huMOuRiU+EmKVx28
sTnu9zebTW9z2Mvyq/5oMBj2vz9/MwMrWLEueghLI26BYgPK14D8YOBDSg15
dwP1APHWoXgL4rVAwALeCgiaNZnWrYIwzU3ca4niveEQ9PoNLQPyDIrc6fcn
5+/eTIfd99N35Qjd0jLCntCDrrLrTr+VZnmD6vjHGJFnRbNqaRlX5rXbNSiC
xSuRdo7l8muoT0oKbYV363DFo+V9RqeyVuvb90sI4xfzH49TOey1Cda1f2Hw
6K6DK43JNjZxxE5edgzazkOrOBOAMhN9BfH7SoBJrXZx7/Oy8w9V53xbZ11Z
Dl++fNkdPO8ODi9Ho/FgAP/pujPs1TK+WLdwpl+2dq4mG45wssHL5mS2V8t4
/skWyYMXO5i1vVrGq9yNH+jxX7fOr7YuFtOuX/WFrevN8WiRZa9P3pek4FWb
OTXplE02Em2vK8tMt71ur4exRxfwpnwLQ2fQwdVkw2VVIrt37SNsXTTS/RPv
TWsx3s5AHe7vYHDLfmO43YhHFts3HL3eFk9rqFsNsG/vvkv5AP5GvyV/jcZa
8uzX7K4y2oaRPm47ZPSl7ZAv7obcHWdpgLVHV3t0tUdXe3S1R1d7dLVHV3t0
9Wvw9wV05U1oUEhT/vUejUPNyoIwPoH3ePZTi1itAjs7LY8HXg0bKqw22e9D
Z9AQ9TY6VY/m8upt/3+RabWxaU7def74zU2PUrAT6713XMn6J5l335DVvS7L
qwnVvjK+t7vbki7ETXnfzLBZjjBbmnKMe8Q5Nydx0MH8TVhKHZ7V33S5LdAD
PL/T38OY7uZv2uhOqu76s0DTW8sy1ou8YYmI8QPkNc9FFoeTkEBa1ae8dhvW
fu2L3126DXjzlerHo/JQUWXENNHya/8suPxoLs5539v7G/JOIFtNQe8utx/e
lj8AEZAi7i7cAza732Z33uau8e9tdntmP3loDTW534WRCbqgXbd5wmfDm330
0Zo2vEmY3+9TpkyqAOVXI3hCZ78etLi0Vq00x92tsmiOu1dl8aXhuyuL5ugK
eU38LLgbwXlkmgiuVFE/0FGpyn7t2Qvv5dAyz+iuD0Jtk2ZStlcawpXeCbFN
WrJYk1o9h8otU7WoI2hHbBMN69BrS+fd0CaYvwlt2tbVZN5rq6myobsduVj7
dd9z7PbM6qJpmS/KaPpEt56aoHdhEtH2dFt+3Hu747IMqc3lwq1OveXbKvG2
hWFypzNHKhbVHb+cRwJeQjAmLZNvPUMMrzHg947CfnvqX5B3grIfF/9fkpQL
VQ1RHT5KVLWPDnZ+bFDyYK/Ah2IWLR8cBFbpYMkX0d59hOqIBjJ1Lx9hfAHn
94Gq92G+CVzpduAa/JDIva8RlDDt8QDLkfpNAVbJvwewLputjqUSj/u3iatr
b8Fv2RDvB2wAjy3MvSemFKypUPqnRBo/FkXpWVquAKGv49QxUC7pDsLRn6SX
0tROZO9/IVz+6GX58kqTQd/mmoXX7CRZIwKYXSSxd0OqlFdwTa+8Lib1cirb
QNRmf7vFfu5tJLZh1qTtdzbe9Ts/9sZ4udb7MEYFlmd/W6rJHGlchmNeLxC+
qVSwNmy9pIacld9EHQSDc74yg/WvaGz7hQX7M1SOAtEB07t1t7zyJZjZyoga
cBNUQc0fSSHlJOHH+AZ89OiJoglnEn8ugNdXfVBfyQGxYa+NMReUy2/28T5d
XY7BeCMdPU7/GI+zo5YLi57rSmtl7k143af2JZYWFcYFKyw0kfHvUDI5nPbA
Y6fWestt39TrLfP+V6i3th8LNeqJkLejfu15Vz3Rzv6jCws01nao7+/TbgHw
rsg43F14bNv9bYXwPj/NPblfC71vdxVmf29E/6gSRKvmjym4ULJ3oH9HB8IA
/vBaGTenD3/LYvkB/D3/fYr5mmCD9Pi4Be3YnbgjbwEPv12UgnLiGwQ1CZ3d
AnefyD8BOyTSOJ9XAAA=

-->

</rfc>

