EIF's Information Systems & Technical Conditions

There are some differences in the new registry system compared to the old one, regarding how contact objects are created and handled. Here are the main differences:

  • When a registrar is replaced, all contacts will be copied automatically.
  • The system will create the corresponding objects for the new registrar.
  • If a registrar does not name a created contact (e.g. in the case of a change of registrar, or the registrar does not select one when creating a contact in the Registrar's Portal), the system will do it automatically. The first part of the object name is the name of the registrar, separated from the following part by an automatically generated string. (Example: RNAME:6257D24F)
  • If a registrar chooses an object name, the system will prefix it with the name of the registrar, if the name of the registrar is not already the first element of the chosen name. The allowed characters are the ASCII alphabet, numerals, ':' and '-‘, the max length is 100 characters. All entered letters will be saved as uppercase letters.
  • In the case of some changes, like the changing (chg) of the registrant (contact object) or the updating of mail addresses of contact persons, a confirmation and/or notification message is sent to the contact's mail address, which is also the basis for finishing the operations that need confirmation. Therefore, the accuracy and functionality of the contacts' mail addresses are even more important than before.

When contact data are edited, should the object of the contact be edited or replaced?

If the ident field does not change, there is no need to replace the object itself. It is only important in the case of a change in the contact data of the registrant, as the system will interpret the replacement of the registrant's object as a change of registrant; even if the person in the object is the same. Therefore, if it is only an address or phone number which changes, only the contact's object should be updated.

Why won't the system allow editing the data of a domain or a contact?

The domain may have statuses that prohibit it (updateProhibited, pendingUpdate). The former of these two is administratively assigned, usually in the course of a procedural act like court proceedings or a deletion procedure. The latter means that an updating procedure has already been started and is waiting for completion, and no new update queries can be made before that finishes.

If it is not due to the status directly prohibiting the update, it is likely that the present (contact) data are faulty or incomplete. Detailed reasons will also show up in the error message.
<Why can the ident field of a contact not be edited?>

Editing the ident field would change the named person of the contact. If the person changes, a new contact object should be created. There are only two exceptional cases when changes concerning the ident field are allowed:

  1. If the type (attribute 'type') of the ident field (element <eis:ident>) is 'birthday' and the date format is incorrect (YYYY-MM-DD);
  2. If the country code (attribute 'cc' of the element <eis:ident>) is missing.
In other cases a new contact object has to be created for updating the data even if the contact person remains the same.

NOTE! In the case of a registrant's contact, the system will interpret the replacement of a contact's object as a change of registrant and a confirmation mail will be sent to the registrant's mail address and the operation will not be concluded unless an answer is received.

In which cases will the system send notifications to the contact's mail address?

The system will send out notifications in the case of a change of mail address, when the domain is being transferred to another registrant and in the case of a deletion query. In the cases of transfer and deletion of the domain, a confirmation mail will also be sent to the (current) registrant's mail address with a web link that can be used to either confirm or reject the pending operation. The sender email address of the message is noreply@internet.ee

The registry system will also send a one-time automated notification to all the contacts of an expired domain one day after the expiration.

What should be done if the registrant cannot answer the confirmation mail, but the registrant's intent has been verified?

If the registrar has established the registrant's intent, the verified='yes' parameter can be used in the update or delete query, in which case the desired operation will be performed at once, instead of sending the confirmation mail and assigning the pendingUpdate or pendingDelete status.

How can I use the verified='yes' parameter in the Registrar's Portal?

The web interface does not offer the functionality of switching this parameter on. To use it, the registrar will have to submit a query composed by themselves. Manually composed queries can be submitted through the Registrar's Portal using the <XML console>.
The test environment is meant for those who are considering becoming an .ee registrar and want to learn the various interfaces and services, as well as for the accredited registrars to perform various development and testing tasks.

Before a new registrar is accredited, the registrar will have to pass the <EPP test> in the test environment to ensure compliance of the registrar's technical systems and procedures with the requirements.

Locations of the interfaces of the test environment:

Registrar's Portal: https://testrar.internet.ee/registrar
Demo client: https://testweb.internet.ee/
EPP API: testepp.internet.ee:700
REPP API: https://testepp.internet.ee/repp/v1/
WHOIS: http://testwhois.internet.ee/v1/
Registrant's Portal: https://testrant.internet.ee/registrant

Applying for a test account

To obtain a test account; a certificate application, the IP address(es) and details for the personal ID code-based account should be submitted to the EIF. The EIF will issue a certificate for using the EPP and REPP test interfaces and will grant access to the test environment of the Registrar's Portal to the owners of the respective personal ID codes.

Persons who do not have an Estonian ID card can log in to the web environment with a username and a PKI certificate. In this case it should be noted that the CN in the certificate application should correspond to the desired username.

Data entered into the test environment

A registrar or a registrar candidate enters data into the test environment at their own risk.

NOTE! Operations that include the sending of messages to registrants will send these messages if the contact data are functional, so that this functionality may be tested as well. We recommend performing tests with contacts and domains that have been created specifically for this purpose or that belong to the testers themselves, not to actual customers.

Example domains for testing change of registrar

A domain belonging to another registrar as well as its authorisation code are needed for testing the changing of registrars. There are example domains in the system for this, and additional ones can be created as needed. When you start testing or if the sent domains have been used up, please inform us of your specific needs.

EPP test

The EPP test contains example tasks for all registration services and the most common operations. For instance: creating a contact and a domain, information query, updating a contact's data, changing the contacts and name servers of a domain, transferring a domain, changing the registrar, administration of DNSSEC entries, deleting a domain and reading poll messages.

More detailed tasks will be sent to a registrar candidate once they have announced that they are ready for the test.

  • How much time is allotted for taking the test? As a rule, we presume that the registrar has established the capability of their system to communicate with ours by the time they start the test, and the operations themselves should not take long, definitely not more than a few hours.
  • What if the registrar does not want to interface over EPP? In this case the registrar will take the test using just the web interface (the Registrar's Portal). All required operations can be performed through the web interface.


To obtain access, a certificate application, the IP address(es) and details for the personal ID code-based account should be submitted to the EIF. The EIF will issue a certificate for using the EPP and REPP interfaces and will grant access to the test environment of the Registrar's Portal to the owners of the respective personal ID codes.

Persons who do not have an Estonian ID card can log in to the web environment with a username and a PKI certificate. In this case it should be noted that the CN in the certificate application should correspond to the desired username.

When applying for IP access, please note if the IP is meant for EPP/REPP, the Registrar's Portal or both. For new user accounts of the Registrar's Portal, it should also be noted whether the user has the rights for EPP operations or for Billing functions, or both.

NOTE! The number of allowed IP addresses is regulated in the Registry Contract. IP addresses can be added one by one, not by ranges.

Addresses of the interfaces of the production environment:

What are the user rights levels in the Registrar's Portal?

There are 3 levels: A user with EPP rights has access to the functionality related to registration services, a user with billing rights sees the billing functionality and a user with both rights, sees both.

Can a registrar create and administrate new users?

Not at the moment. This functionality may be added in the future.
  • For performing paid registry operations (domain registration and renewal) there has to be sufficient credit on the registrar's account at least in the amount of the cost of the transactions to be performed.
  • The account cannot be negative. If there is not sufficient credit, the operation will not be completed and has to be performed again once credit has been added.
  • The quickest way to increase credit is via a bank link in the Registrar's Portal. When a bank transfer is used, the transfer may take up to one workday or even more, depending on the speed of bank transaction times. Bank account: EE557700771000598731, BIC/SWIFT: LHVBEE22
  • You can check your credit status in the Registrar's Portal (under the Billing menu) or using a REPP query. -> Link: https://github.com/internetee/registry/blob/master/doc/repp/v1/account.md

How can I view invoices that were created before adopting the new registry system?

Invoices created before December 1, 2015 can be viewed and downloaded from the archived version of the previous Registrar's Portal at: https://oldinvoice.internet.ee/registrar.

Other functions of the old portal are not operational.
A domain can have various statuses whether as a result of automated processes or for administrative reasons. The statuses are always set by the server. A customer can never directly set or remove a status.

  • ok - domain's default status when there are no other statuses;
  • serverRenewProhibited - renewal of the domain is prohibited;
  • serverTransferProhibited - change of registrar is prohibited;
  • serverUpdateProhibited - data updates are prohibited;
  • serverDeleteProhibited - deleting is prohibited;
  • serverManualInZone - the domain's name server are kept in the zone file in any case;
  • expired - the domain has not been renewed and its last registration period has expired;
  • serverHold - the name server entries of the domain have been removed from the zone file. This happens automatically to all expired domains 15 days after expiration.
  • pendingUpdate - waiting for the registrant's confirmation to a registrant change query;
  • pendingDeleteconfirmation - waiting for the registrant's confirmation to a deletion query;
  • pendingDelete - the domain's deletion process is underway;
  • serverForceDelete - a <deletion procedure> has been started for the domain;
  • serverRegistrantChangeProhibited - transfer of the domain, i.e. change of registrant is prohibited;
  • serverAdminChangeProhibited - changing the administrative contact(s) of the domain is prohibited;
  • serverTechChangeProhibited - changing the technical contact(s) of the domain is prohibited;
  • deleteCandidate - the domain is about to be deleted (the date has come when the domain will be deleted at a randomly chosen moment within the following 24 hours).

Why is the domain's status suddenly pendingUpdate and how do I remove it?

A domain will receive a pendingUpdate status if the registrant of the domain (the object of the registrant contact) changes during an update query. If that happens, a confirmation mail is always sent by default to the mail address of the previous contact. This happens also if a new contact object is created for the registrant's person and an attempt is made to replace the old one with it. Thus it may happen that the domain gets the pendingUpdate status without there having been a plan to initiate a transfer of the domain.

If the registrant rejects the operation, the domain's status before the query is restored and there is no update. If the registrant confirms the operation, it will be performed. If the registrant does not react to the confirmation mail at all, the pendingUpdate status will be lifted by the server automatically after 48 hours, also cancelling the pending operation.

If a domain has received a pendingUpdate status as a result of an accidental operation or it has been discovered in the course of the operation that the confirmation mail has not reached the person it was sent to, and you do not want to wait for the 48 hours to pass, you will have to contact the EIF to lift the status through an administrative procedure.

  • How can I restore a domain that the owner allowed to be deleted, but then reconsidered? After the issuing of the deletion command, the domain will be in DeletePending status for 30 days. During this period, it is possible to restore the previous status of the domain if the registrant wishes to do so. To do that, a corresponding signed application has to be submitted to the registrar, who will forward it to the EIF. The registrar itself cannot cancel the deletion of a domain.

In which cases is it impossible to renew a domain?

A domain cannot be renewed if:

  • The domain <status> prohibits it;
  • The registrar does not have sufficient <credit>;
  • The domain belongs to another registrar.

A domain was renewed for a lesser number of periods than requested by the customer. Can we add one more period right away?

Yes, if the sum of the periods is not more than the maximum period allowed in the domain regulation.

The registrar's information system shows that a domain has been renewed but the customer says that an expiry notification was sent to them?

First, it should be checked via <WHOIS>, <the Registrar's Portal> or <EPP interface> if the domain has been successfully renewed. The <failure of the query for various reasons> may not be reflected in the registrar's system.

If the domain is renewed by the current moment, but the customer has received an expiry notification, the domain expired before the renewal. The system will not send an expiry notification to domains that are renewed before the expiry.

Renewal of an Expired or Ended Domain

  • Domains can be renewed after they have expired. The renewal of an expired domain does not differ from an ordinary renewal technically nor pricewise.
  • An expired domain has the status 'expired'. Once the domain is renewed, the registry will remove it immediately.
  • A domain that has had the 'expired' status for 15 days will be removed from the zone (it ends). The domain is no longer in the name servers servicing the .ee zone, but it can still be renewed in the course of 30 days. After an expired and ended domain has been renewed, it will reappear in the .ee zone after 10 minutes at the latest.
  • A domain that has had ended status for 30 days after its expiry will be assigned the status 'deleteCandidate' and it will be deleted during the following 24-hour period at a moment chosen randomly by the system. A domain that has the 'deleteCandidate' status can no longer be renewed. After the domain has been deleted from the registry, it will be immediately available for anyone.
The EIF uses WHOIS to publish the status(es) of a domain, its registration, the last change and expiration dates, the registrar, the name servers, the dnssec key, names and mail addresses of the registrant and the other contacts. If the contact is an organization, their business registry code will also be published.

After the registration of a domain, this data becomes available for WHOIS querying immediately.

The mail addresses of contacts are visible only through a captcha-protected WHOIS service, available through the homepage of the EIF and Rest WHOIS.

  • Unix WHOIS: whois.tld.ee
  • Rest WHOIS: http://rwhois.internet.ee
  • Homepage: http://internet.ee

Is the information displayed in WHOIS always up to date? What should I do if it differs from the data entered into the registry system?

First, it should be checked that the EIF's own WHOIS service is used as directly as possible, not the service mediated by another service provider, which may contain outdated data. Then, if the query is performed by a registrar, it should be checked if the changes you are looking for in WHOIS have reached the registry.

WHOIS data should always be up to date, but it should be remembered that before the data reaches WHOIS, it will have to be in the registry. In case of differences, the data coming directly from the registry system is always correct.


What determines if the business registry code of a contact is published in WHOIS?

When creating the contact, the registrar defines if they are a private or legal person with the ident element type 'priv' or 'org'. The system assumes all contacts with the ident type 'org' are legal persons.
Restrictions applicable to EPP queries are stipulated in the Registry Contract Annex 1 - Technical Terms & Conditions

  • Up to 4 sessions are allowed simultaneously and up to 4 IP addresses with access to EPP.
  • The number of addresses used for accessing the billing functions of the Registrar's Portal is not limited.
  • A session may be inactive for 5 minutes, then it will expire.
  • Every EPP query resulting in an error message will block the session for up to 1 second.
  • The query limit of EPP is up to 100 queries per minute. Login and logout commands count as queries.

Poll Messages

  • Poll messages can be read in the Registrar's Portal (if the user has the rights for EPP operations) or using the <poll> command over EPP.
  • A <poll> command with the op="req" attribute displays the next unread message. A read message is removed from the queue using the <poll op="ack"> command.

Access Problems

  • How to add a new user to the Registrar's Portal?
An authorisation should be sent to the EIF along with the name, personal ID code, desired rights, and, if needed, the IP addresses for access if they differ from the ones previously submitted.

  • What should be done if the issued access credentials do not work for some reason?
Information as precise as possible regarding any non-functioning access and the nature of the error messages should be collected and forwarded to us (jaana.jarve@internet.ee). Significant details include: the date and time of the queries, the username, the IP address the query came from and the interface that was addressed. In case of Internet connection problems, output of the traceroute command could be of help.
DNSSEC (Domain Name System Security Extensions) is a security key system that guarantees that the user will be directed to the webpage he or she entered into the browser. For example, DNSSEC will guarantee that after entering the URL of an Internet banking environment, a user will not be directed to a webpage with a similar look that has been set up by fraud organisers for stealing data and passwords.

What is the difference between providing a DNSSEC service and providing a Full DNSSEC service?

All accredited registrars of the .ee domain are obliged by the Domain Regulation to provide the DNSSEC service, i.e. if the customer wants to forward their DNSSEC keys to the domain registry, to remove, add or edit them, the registrar is obliged to provide this possibility.

See also:

DNSKEY Record Administration.

Full DNSSEC service means that the registrar is able not only to forward the key, but also to create and manage DNSSEC keys for the customers. In this case, the service provider is responsible for managing the DNSSEC infrastructure, creating the keys and protecting the private keys.

Best practice requires the service provider to publish the DPS (DNSSEC Practice Statement) of its DNSSEC solution, where the DNSSEC-related procedures and rules of the company are described.

If a registrar offers Full DNSSEC service to its customers, it can have the corresponding notification //meedia.internet.ee/photos/dnssec.png added to its name in the registrars’ comparison table on the home page of internet.ee.