User ID and password[Link]

To access the EPP interface, you need to use a user ID and password. The user ID is the registrar ID that you have been attributed upon registration as a registrar. The password is the one that you have chosen when you activated your account. It is possible to change your EPP password on the Registrar Site. You will have to log in with the administrator account (registrar ID = user ID).

IP whitelisting[Link]

Before connecting to the EPP interface, DNS Belgium needs to know from which IP addresses you will be connecting. You can register your IP addresses via ‘My registrations’.

About EPP and the current .be system[Link]

EPP allows for extending the protocol. DNS Belgium opted to adapt the schema (through extensions and redefinitions) that reduce diverging from the ‘standard’ to the minimum. Get the schema definitions for reference.

Conceptual differences[Link]

The current version of the EPP schemas are based on some prerequisites or leave some possibilities open that are incompatible with the DNS Belgium implementation of the registration information. In the following list, we will discuss the conceptual differences between the two models. In most cases each of these differences will require some modification to the standard.

  • DNS Belgium: a contact has a type BY DEFINITION and can only be used in that role. If the same person has 2 roles (e.g. a billing contact and a registrar technical contact) then it has to be defined twice.

    EPP: defines a contact without a type. It derives its type from its usage. The same contact object can be used in different roles.

  • DNS Belgium: a contact object belongs to a registrar and cannot be transferred to another registrar (registrar).

    EPP: a contact is generic, and control can be passed on to another registrar.

  • DNS Belgium: a name server is not an independent object, it is an attribute of the domain and comes into existence when it is linked to a domain. When it belongs to the same domain as the one it is linked to, it must be provided with an IP address (a ‘glue record’).

    EPP: two ways of working are possible:

    • name servers are objects in their own right. If they need glue records (IP addresses), they must be created before they can be linked to a domain.

    • Name servers are just ‘attributes’ of domain name registration. This corresponds to the way DNS Belgium works.

  • DNS Belgium: has objects called name server groups, which are sets of name servers.

    EPP: this type is unknown to EPP

  • DNS Belgium: has objects called keygroups, which are sets of DNSSEC keys.

    EPP: this type is unknown to EPP

Data differences[Link]

The following tables will give an idea of the data differences that exist between EPP and the DNS Belgium implementation. More detailed information can be found in the description of each command.

DOMAIN object

DNS Belgium









No change in schema but the back-end application returns an error when name is longer then 63. [1]

ns (hostName)



No change in the schema but software returns an error when shorter than 4 or longer than 100.

ns (hostAddr)



No change in the schema but the back-end checks if the IP address is valid. We support IPv4 and IPv6 addresses.







CONTACT object

DNS Belgium









EPP will return an error if the field is longer than 50 chars.


2 (nl,fr,en)


defined as an extension




If the ‘org’ field is longer than 100 characters, an error is returned.



min 1

If the ‘email’ field is longer that 255 characters, an error is returned.




defined as an extension


The following commands are not available in the DNS Belgium EPP interface:

  • renew: NOT AVAILABLE; renewals are automatic at the end of each domain name year unless the domain name is removed from the database.

  • transfer approve: NOT IMPLEMENTED; the mechanism of the transfer of a domain name from one registrar to another requires the explicit approval of the registrant, the registrant provides an authorisation code to the registrar. See Transfer procedure

  • transfer reject: NOT IMPLEMENTED; see previous item

  • transfer query: NOT IMPLEMENTED; see previous item

Transport and security[Link]

DNS Belgium provides EPP only on a Secure Layer (TLS) mechanism over standard TCP/IP sockets: The protocol used is TLSv1.2 or TLSv1.3 with one of the following ciphers:

  • For TLSv1.2

    • (0x00,0x6B) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    • (0xC0,0x2F) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • (0xC0,0x30) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • (0x00,0x9F) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • For TLSv1.3

    • (0x13,0x01) TLS_AES_128_GCM_SHA256

    • (0x13,0x02) TLS_AES_256_GCM_SHA384


DNS Belgium recommends the use of TLSv1.3 because this has higher security. Please update if you are still using TLSv1.2.

EPP may only be used in synchronous mode: a response to a command must be received by the client before sending another command. DNS Belgium only provides a connection-oriented EPP service.

EPP sessions[Link]

DNS Belgium guarantees at least 2 simultaneous EPP sessions (connections) per registrar with our EPP server. If our EPP server can handle more connections easily, then it might be possible that DNS Belgium allows more than 2 simultaneous connections per registrar (maximum 5). So, the number of maximum simultaneous connections varies between 2 and 5.

As a registrar you can specify 10 IP addresses from which you are allowed to connect with our EPP server. Although you have 10 IP addresses, DNS Belgium might allow only 2 simultaneous connections. In other words, the number of IP addresses that you specify is not related in any way with the number of allowed connections.

Connections which are idle for more than 4 minutes will be closed down by our EPP server.

For example, DNS Belgium allows a maximum of 2 simultaneous EPP sessions. Suppose you have 2 simultaneous connections. When opening a third connection, you will be able to send and receive transactions on this connection. Trying the eldest connection will result in a ‘Session limit exceeded’ message and the connection will be closed on our side. In other words, you will always fall back to your 2 most recent connections.

The error message looks like:

<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:dnsbe="">
    <result code="2502">
      <msg>Session limit exceeded; server closing connection</msg>
          <dnsbe:msg>last session from X.X.X.X:XXX</dnsbe:msg>

If 2 sessions are enough for your registration system (and in normal situations that should be more than enough) then you don’t need to take special measures in your software. But if you are sure you might need more connections, then you should make your software scalable so that you can adapt the number of connections depending on our (variable) maximum number of connections.

The tryout system is fixed to maximum 5 connections per registrar, the tryout system is there for functionality testing and not for high volume testing, so DNS Belgium doesn’t see the need for more connections there.

Versions & ports[Link]

The EPP standard protocol stipulates that the version field (as returned by the greeting and required by the login command) should be ‘1.0’.

DNS Belgium uses 33128 as official system port.

The actual server name and port can always be verified on our Public website.


We accept both U-label and A-label as input for EPP. The EPP response will only use the A-label for IDN names, both in succeeded and in error messages.

For name servers, we also accept both U-label and A-label. The EPP response will only use the A-label for IDN name servers.


Our implementation of the EPP XML server uses an XML schema specification parsing mechanism. A client who wants to design an EPP client implementation should obtain from DNS Belgium the EPP XML schema (.xsd files) used to validate all XML messages sent to the server for conformance with the DNS Belgium EPP implementation.


All client XML EPP messages sent to the DNS Belgium EPP server should have been validated against the latest XML EPP schema provided by DNS Belgium prior to their use.

EPP objects used[Link]


schema: epp-1.0.xsd
(generic document, containing the root element:<epp>)


schema: eppcom-1.0.xsd
(generic data definitions)


schema: domain-1.0.xsd
(domain specific commands)


schema: contact-1.0.xsd
(contact specific commands)


schema: host-1.0.xsd
(nameserver specific definitions)


schema: nsgroup-1.0.xsd
(added to handle nameserver groups)


schema: secDNS-1.1.xsd
(key specific definitions)


schema: keygroup-1.0.xsd
(added to handle keyroups)


schema: registrar-1.0.xsd
(added to handle registrar info)

All DNS Belgium specific modifications to the standard schemas are marked by ‘START/END MODIF DNS BE’ markers.

DNS Belgium specific extensions to EPP[Link]

schema: dnsbe-1.0.xsd


DNS Belgium ignores schema references in an XML command and validates the incoming command against a fixed set of schemas as listed above.

To support additional features required for the provisioning of DNS security extensions, the EPP server used by DNS Belgium is fully compliant with RFC-5910. For backwards compatibility RFC-5910 describes two possible interfaces through which a client can create, add, and remove Delegation Signer (DS) information or keydata information for a domain name.

The EPP server implemented by DNS Belgium only supports the newer “Key Data Interface”.

DNS Belgium recommends following prefix for the namespaces:


Namespace prefix