All Products
Document Center

Sign signatures

Last Updated: Mar 01, 2019

The DLA service requires identity authentication for each request. Therefore, you must include the signature information in HTTP requests or HTTPS requests. By using the AccessKeyId and AccessKeySecret, DNS performs symmetric encryption to authenticate the request sender.

The AccessKeyId and AccessKeySecret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them on the Alibaba Cloud official website). The AccessKeyId indicates the identity of the visitor. The AccessKeySecret is the secret key to encrypt the signature string and verify the signature string on the server. It must be kept strictly confidential and only be available to Alibaba Cloud and the authenticated visitor.

Perform the following steps to sign an access request:

  1. Use request parameters to construct a canonicalized query string.

    1. To construct a canonicalized query string, sort all request parameters by name in alphabetic order (case sensitive). The request parameters include common request parameters and operation-specific parameters, but exclude the Signature parameter in “Common request parameters”.

      Note: When you use the GET method to submit requests, these parameters constitute the parameter field of the request URL following the question mark (?) and connected by the ampersand (&).

    2. Encode the name and value of each request parameter. URL encodes parameter names and values based on the UTF-8 character set. The URL encoding rules are described as follows:

      a. Do not encode any of the following characters: A-Z, a-z, 0-9, hyphen (-), underscore (_), period (.), and tilde (~).

      b. Percent encode all other characters with %XY, with XY representing the hexadecimal ASCII value of the characters. For example, English double quotation marks (“) are encoded as %22.

      c. Percent encode extended UTF-8 characters in the “%XY%ZA…” format.

      d. Percent encode the English space character as %20. Do not percent encode the space character as a plus sign (+).


      Most libraries that support URL encoding, such as, comply with the encoding rules for the “application/x-www-form-urlencoded” MIME type. If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with a tilde (~) to conform to the encoding rules.

    3. Separate the encoded parameter names from their encoded values with equal signs (=).

    4. Sort the equal sign-connected strings by their parameter names alphabetically and connect them with ampersands (&).

  2. Based on the created canonicalized query string, construct a string used for signature calculation based on the following rule:

    1. StringToSign= HTTPMethod + “&” + percentEncode(“/”) + ”&” + percentEncode(CanonicalizedQueryString)


    • HTTPMethod: the HTTP method that is used to submit a request, for example GET.

    • percentEncode(“/”): the encoded value (“%2F”) of a forward slash (/). The encoding follows the URL encoding rules described in 1.b.

    • percentEncode(CanonicalizedQueryString): the encoded string of the canonicalized query string constructed in step 1. It is created by following the URL encoding rules described in 1.b.

  3. Use the signature string to calculate the HMAC value of the signature as defined by RFC2104.

    Note: The Key used for signature calculation is the AccessKeySecret of the user with an ampersand (&) added at the end. The corresponding number of an ampersand (&) is 38 in ASCII codes. The SHA1 hashing algorithm is used.

  4. Encode the HMAC value into a string according to Base64 encoding rules. You can then obtain the signature value.

  5. Add this signature value to the request parameters as the value of the Signature parameter. You have now completed the request signing process.

    Note: When the obtained signature value is submitted to the DNS server as the final request parameter value, it must undergo URL encoding like other parameters according to RFC3986 rules.

    Using DescribeDomainRecords as an example, the request URL before signing is as follows:


    After signing, the StringToSign is as follows:

    1. GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeDomainRecords&

    If we assume the “AccessKeyId” is “testid”, the “AccessKeySecret” is “testsecret”, and the Key used for HMAC calculation is “testsecret&”, the calculated signature value is uRpHwaSEt3J+6KQD//svCh/x+pI=.

    In this example, the request URL after signing is as follows. The Signature parameter has been added to the URL.