Alibaba Cloud DNS performs authentication on each access request. Therefore, each request must contain signature information in spite of whether the request is sent over HTTP or HTTPS. Alibaba Cloud DNS implements symmetric encryption with an AccessKey pair which consists of an AccessKey ID and an AccessKey secret to verify the identity of the request sender.

Alibaba Cloud officially issues the AccessKey ID and AccessKey Secret (visitors can apply for and manage them at Alibaba Cloud official website). The AccessKey ID is used to verify the identity of the user, while the AccessKey secret is used to encrypt and verify the signature string on the server. You must keep your AccessKey secret strictly confidential.

When calling an API, you need to perform the following steps to sign the request:

  1. Use request parameters to create a canonicalized query string.

    a. To create a canonicalized query string, arrange the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order. The arrangement is case-sensitive. If a request is submitted by using the GET method, these parameters are placed in the parameter section after a question mark (?) and connected with ampersands (&) in the request URI.

    b. Encode the name and value of each request parameter. The parameter names and values must be URL encoded using UTF-8. The URL encoding rules are described as follows:
    • Uppercase letters, lowercase letters, digits, and some special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
    • Other characters must be percent encoded in %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
    • Extended UTF-8 characters are encoded in %XY%ZA... format.
    • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
    Note Generally, all the libraries that support URL encoding (for example, perform encoding based on the rule of the application/x-www-form-urlencoded MIME type. If you use this encoding method, you can replace the plus sign (+) with %20, asterisk (*) with %2A, and %7E with the tilde (~) in the encoded string to obtain the required string.

    c. Connect the encoded parameter names and values with the equal sign (=).

    d. Arrange the parameter name and value pairs connected with equal signs (=) in alphabetical order and connect the pairs with ampersands (&).

  2. Create a string-to-sign from the encoded canonicalized query string.
          HTTPMethod + "&" +
          percentEncode("/") + (&) +
    • HTTPMethod: indicates the HTTP method used to submit the request, such as GET.
    • percentEncode("/"): indicates the encoded value for the forward slash (/) based on the URL encoding rules described in the preceding step, which is %2F.
    • percentEncode(CanonicalizedQueryString): indicates the encoded string for the created canonicalized query string based on the URL encoding rules described in the preceding step.
  3. Calculate the hash-based message authentication code (HMAC) value of the string-to-sign as defined in RFC 2104. The key used for signature calculation is obtained by adding the ampersand (&) to your AccessKey Secret (ASCII:38). Use the SHA1 algorithm to calculate the HMAC value.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the Signature parameter to complete the request signing process.
    Note The obtained signature string must use RFC 3986 URL encoding like other parameters before it can be submitted to the DNS server as the final request parameter value.

Take DescribeDomainRecords as an example. The request URL before signing is as follows:    

After signing, StringToSign is as follows:


Assume that the AccessKey ID is testid, the AccessKey Secret is testsecret, and the key used for HMAC calculation is testsecret&. The calculated signature string is as follows:


The signed request URL with the Signature parameter added is as follows:

This topic only describes the request signatures. We strongly recommend that you use SDK when an API is called.