EPP Testbed


EPP is available in a test environment (Operational Test and Evaluation - OT&E) to provide a safe 'sandbox' database for registrars to test their systems without fear of affecting data on the 'live' registry. 


The testbed database provides each registrar with a set of fictional domains, accounts, and contacts. The dataset is provided solely for testing purposes, and registrars are free to alter the data, and register new domains and accounts. The dataset will be reset daily, discarding any changes and additions made. Two testbed servers will be available, a secure EPP server using TLSv1.1 and a plain-text server. Both servers will connect to the same testbed database. The secure EPP server provides server authentication and data encryption but does not require SSL client authentication.

How to register for the EPP testbed

  • Log into the Online Service.
  • Sign up for the testbed service at Tag Settings->EPP Testbed.
  • Enter a password for use in EPP login commands.
  • Specify the IP address from which you will connect to the EPP service.
  • Your new dataset will NOT be available immediately - it will be set up during the next daily reset cycle.
  • These details can be changed at any time, and will be reflected on the testbed server only after its next reset cycle.

How to connect to the EPP testbed server

  • Obtain an EPP client.
  • In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available free from www.verisign.com (the certificate is also distributed with most web browsers).
  • Connect to the secure server at testbed-epp.nominet.org.uk, port: 700.
  • Connect to the plain-text server at testbed-epp.nominet.org.uk, port: 8700.
  • Connections can only be made from the IP address specified above.


Objects existing in the live registry, such as domains and registrant accounts, are NOT replicated in the testbed. Only a clone of your registrar account, and a clone of each tag which is registered to use EPP, will appear in the dataset, with ID values  not matching those in the live register. Aside from this, all information in the testbed will be fictional. A set of domains will be created on each tag, covering a variety of different states grouped together under a series of registrants (TAG will be replaced by your tag-name):

Simple registrant (LTD)



Multiple registrant


banquo-TAG.co.ukns1.benedick-TAG.co.ukShared nameserver
ns1.beatrice-TAG.co.uk (IPv4)
ns2.beatrice-TAG.co.uk (IPv6)
Multiple nameservers

Double registrant (SCH)

Two separate registrants with identical account details.

caliban-TAG.lea.sch.ukns1.caliban-TAG.lea.sch.ukBilling field set to 'th'
claudio-TAG.lea.sch.ukns1.caliban-TAG.lea.sch.ukBilling field set to 'bc'

Suspensions registrant (IND)

demetrius-TAG.co.ukns1.demetrius-TAG.co.ukSuspended, not in renewal period
duncan-TAG.co.ukns1.demetrius-TAG.co.ukSuspended, in renewal period

Expiry registrant (PLC)

ganymede-TAG.net.ukns1.ganymede-TAG.net.ukExpires in 181 days
ganymede-TAG.co.ukns1.ganymede-TAG.net.ukExpires in 179 days
ganymede-TAG.plc.ukns1.ganymede-TAG.net.ukExpires in 2 days, auto-bill=3
hermione-TAG.co.ukns1.ganymede-TAG.net.ukExpires in 2 days, auto-bill=4
hermia-TAG.plc.ukns1.ganymede-TAG.net.ukExpires in 2 days, next-bill=3
horatio-TAG.co.ukns1.ganymede-TAG.net.ukExpires in 2 days, next-bill=4
lysander-TAG.co.ukns1.ganymede-TAG.net.ukExpires in 2 days, renewed within the last 24 hours
macbeth-TAG.plc.ukns1.ganymede-TAG.net.uk>2 years old, renewed
perdita-TAG.co.ukns1.ganymede-TAG.net.ukExpires in 2 years
perdita-TAG.org.ukns1.ganymede-TAG.net.ukExpires in 5 years

DNA registrant

macduff-TAG.co.ukns1.macduff-TAG.co.ukIn renewal period, Do Not Renew set
mercutio-TAG.co.ukns1.macduff-TAG.co.ukNot in renewal period, Do Not Cancel set

Registration registrant

oberon-TAG.co.ukns1.oberon-TAG.co.ukNew, paid for
oberon-TAG.org.ukns1.oberon-TAG.co.ukNew, unpaid

DNSSEC registrant

ophelia-TAG.co.ukns1.ophelia-TAG.co.ukDomain has 1 DS Record

Failed validation data

portia-TAG.co.ukns1.portia-TAG.co.ukName data failed validation
romeo-TAG.co.ukns1.romeo-TAG.co.ukAddress data failed validation
titania-TAG.co.ukns1.titania-TAG.co.ukName and address failed validation
aegeon-TAG.co.ukns1.aegeon-TAG.co.ukName and address failed validation



All tags on the testbed are marked as "DNSSEC-enabled".

Manual Referrals

To test create requests which are referred for manual intervention, applications made to the testbed for domain names ending ".ltd.uk" are validated automatically.  Domains starting with the letters a-m will result in a successful request, all other ".ltd.uk" domain names will be rejected with the reason ".ltd.uk domains are for UK Limited companies only, see clause 10 of http://www.nominet.org.uk/go/rules regarding <name>.ltd.uk".

The validation test occurs once per hour.  If multiple requests are received for the same domain name within this period, all but the first request will be rejected for the reason "Domain already registered" when tested.

Changing EPP logon details & option fields

Your EPP password for the testbed (and the associated IP address) can be changed via the Online Service. Such changes will be reflected in the testbed after the next daily reset cycle. Changes to the Registry Options (e.g. Nameserver Consolidation) will likewise not be reflected immediately.

Changes made within the testbed to your EPP password will affect only the testbed, and will persist only until the next reset cycle. No data in the testbed will be copied to the live register.


The testbed environment is as close to the live environment as possible. Consequently, any (fictional) domain created in the testbed must have a unique name. In order to avoid potential name conflicts with other tags, it is suggested that you append your tag-name to the key of any domains you request.


A WHOIS server is available for the Testbed to assist with testing. The testbed server is at testbed-whois.nominet.org.uk. Usage limits of 100,000 requests per day are in force.

Setting Privacy

Privacy service framework

A privacy service has been created for all registrars to use. In the live environment you will need to register your privacy service through Online Services before you can apply the privacy service against domains. The privacy service details setup within the testbed are as follows:
Privacy service name: Test privacy
Privacy service address: Test privacy addr
To apply this to a domain you will need to use the following EPP commands:

Create Contact

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
        <contact:postalInfo type="int">
          <contact:name>John Doe</contact:name>
          <contact:org>Example Inc.</contact:org>
            <contact:street>123 Example Dr.</contact:street>
            <contact:street>Suite 100</contact:street>
        <contact:disclose flag="0">
          <contact:org type="int"/>
          <contact:addr type="int"/>

Modify contact to add privacy service

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
 xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
           xsi:schemaLocation="urn:ietf:params:xml:ns:contact-1.0 contact-1.0.xsd">
        <contact:disclose flag="0">
           <contact:org type="int"/>
           <contact:addr type="int"/>

Remove privacy service in modify contact

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
 xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
           xsi:schemaLocation="urn:ietf:params:xml:ns:contact-1.0 contact-1.0.xsd">
        <contact:disclose flag="1">
           <contact:org type="int"/>
           <contact:addr type="int"/>

The EPP disclose field is defined in RFC5733 as the preference to disclose. Therefore to set the privacy service, registrars need to set this field  to ‘0’. To turn off the privacy service, set it to ‘1’.
Documentation can be found in RFC 5733 Section 2.9 is most relevant.

If it is a second level .uk domain requiring a UK address for service, the registrar should submit this address with the registration, as is the case now.

Privacy can be applied to any contact type. 

Privacy can be set for just the contact name, for the contact address or for both.

The type attribute on the contact:postalInfo field is "loc". EPP standard also allows for "int" and two addresses may be provided. We will take the "loc" value if both are provided. The type field in the disclose field must match that in the postalInfo field.
The <contact:disclose> field may contain <contact:org>, <contact:name>, <contact:addr>, <contact:voice>, <contact:fax> or <contact:email> as standard. We will require both the <contact:org> and <contact:addr> fields as those are the ones we expose on the whois. All other fields will be ignored.

Once privacy has been applied against a domain you will be able to use the testbed WHOIS server to query the domain to see the privacy service displayed instead of the registrants details.


To generate registrar change notifications on the testbed, a clone of all tags on the testbed has been provided - all connection IP addresses are the same. This tag can be used to transfer a domain name to your tag and generate a notification. The name of the cloned tag is generated as follows:

  • If the tag name has less than 16 characters, the cloned tag is the same as the original with a trailing '_'. For example, if the tag is 'EXAMPLE', the cloned tag is 'EXAMPLE_'.
  • If the tag name has 16 characters, the final character has been replaced with a '_'. For example, if the tag is 'EXAMPLE-WITH-16C', the cloned tag is 'EXAMPLE-WITH-16_'.

Registrar change handshakes

When a registrar change is requested to move a domain name to another tag, a handshake may be generated. In our live system, handshakes are automatically rejected after 5 days if no action has been taken. In the test bed, this timeout is set to one hour