Port 700: EPP — The domain name industry's secure handshake

Port 700 is where domain registrars talk to domain registries. When you register a domain, transfer it to a new registrar, update its nameservers, or renew it for another year—EPP on port 700 is the secure channel carrying those commands.

What EPP Does

EPP (Extensible Provisioning Protocol) is an XML-based protocol designed for one specific purpose: managing domain names in a shared registry system.¹ It handles:

• Domain registration — Creating new domain registrations
• Domain transfers — Moving domains between registrars
• Domain updates — Changing nameservers, contacts, status codes
• Domain renewals — Extending registration periods
• Domain deletions — Removing domains from the registry

The protocol uses XML messages sent over TCP, always wrapped in TLS encryption. A registrar connects to a registry's EPP server on port 700, authenticates, and then sends commands. The registry responds with success or error messages—also in XML.²

Why Port 700 Exists

Before EPP, chaos. Every domain registry (VeriSign for .com, PIR for .org, country-code registries) had its own proprietary interface. Registrars had to integrate with dozens of different systems, each with different authentication, different commands, different data formats. It didn't scale.³

The IETF started working on EPP in 2000, after a Birds of a Feather session at IETF-49.⁴ The goal: create a single standardized protocol that every registry could implement. First drafts became RFCs in March 2004. By August 2009, EPP achieved full Internet Standard status (STD 69).⁵

ICANN made EPP a requirement in their base registry contracts.⁶ Today, the vast majority of generic top-level domains (gTLDs) and country-code TLDs (ccTLDs) use EPP. Port 700 is the standard.

How It Works

EPP sessions are persistent connections. A registrar opens a TCP connection to the registry's EPP server on port 700, negotiates TLS, authenticates with credentials, and then the connection stays open. Commands and responses flow back and forth over this single encrypted channel.²

The protocol is stateful. The server remembers who you are. You don't re-authenticate for every command. When you're done, you send a logout command and close the connection cleanly.

Example command (simplified):

<epp>
  <command>
    <create>
      <domain:create>
        <domain:name>example.com</domain:name>
        <domain:period unit="y">1</domain:period>
        <domain:ns>
          <domain:hostObj>ns1.example.com</domain:hostObj>
        </domain:ns>
      </domain:create>
    </create>
  </command>
</epp>

The registry processes the command and responds with success or failure. If successful, the domain is now registered.

Security

EPP requires TLS.² No exceptions. Every connection to port 700 must be encrypted before any EPP commands are exchanged. This protects authentication credentials and prevents tampering with domain registration data in transit.

Registries authenticate registrars using client certificates, passwords, or both. Only authorized registrars can access the EPP interface. You can't just connect to a registry's port 700 and start registering domains.

EPP Status Codes

EPP introduced standardized domain status codes that registrars and registries use to communicate domain states.⁷ These codes control what operations are allowed:

• clientTransferProhibited — Domain can't be transferred
• serverHold — Domain won't resolve (registry suspension)
• pendingDelete — Domain is scheduled for deletion
• ok — No restrictions, normal state

These codes are visible in WHOIS data and affect what actions can be performed on a domain.

The Broader Impact

EPP didn't just standardize communication—it made the modern domain industry possible. Before EPP, launching a new registrar meant building custom integrations with every registry. After EPP, you implement the standard once and connect to hundreds of registries.

It enabled competition. Lowered barriers to entry. Made the domain registration market what it is today—dozens of registrars, hundreds of TLDs, prices driven by competition instead of monopoly.

Port 700 is quiet infrastructure. But every domain you've ever registered passed through it.

Related Ports

• Port 43 — WHOIS, the public lookup system for domain registration data
• Port 53 — DNS, the system that actually resolves domain names to IP addresses
• Port 3121 — Former EPP development and test port, now reclaimed by IANA²