Repository files navigation

• Overview
• Code
• Communication
• Release Keys
  • Verifying signatures
• Features
  • RFCs and Proposals

c-ares is a modern DNS (stub) resolver library, written inC. It provides interfaces for asynchronous queries while trying to abstract theintricacies of the underlying DNS protocol. It was originally intended forapplications which need to perform DNS queries without blocking, or need toperform multiple DNS queries in parallel.

One of the goals of c-ares is to be a better DNS resolver than is provided byyour system, regardless of which system you use. We recommend usingthe c-ares library in all network applications even if the initial goal ofasynchronous resolution is not necessary to your application.

c-ares will build with any C89 compiler and isMIT licensed,which makes it suitable for both free and commercial software. c-ares runs onLinux, FreeBSD, OpenBSD, MacOS, Solaris, AIX, Windows, Android, iOS and manymore operating systems.

c-ares has a strong focus on security, implementing safe parsers and databuilders used throughout the code, thus avoiding many of the common pitfallsof other C libraries. Through automated testing with our extensive testingframework, c-ares is constantly validated with a range of static and dynamicanalyzers, as well as being constantly fuzzed byOSS Fuzz.

While c-ares has been around for over 20 years, it has been actively maintainedboth in regards to the latest DNS RFCs as well as updated to follow the latestbest practices in regards to C coding standards.

The full source code and revision history is available in ourGitHub repository. Our signed releasesare available in therelease archives.

See theINSTALL.md file for build information.

Issues andFeature Requests should be reported to ourGitHub Issues page.

Discussions around c-ares and its use, are held onGitHub Discussionsor theMailing List. MailingList archivehere.Please, do not mail volunteers privately about c-ares.

Security vulnerabilities are treated according to ourSecurity Procedure, please email c-ares-security athaxx.se if you suspect one.

Primary GPG keys for c-ares Releasers (some Releasers sign with subkeys):

• Daniel Stenberg <daniel@haxx.se>27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
• Brad House <brad@brad-house.com>DA7D64E4C82C6294CB73A20E22E3D13B5411B7CA

To import the full set of trusted release keys (including subkeys possibly usedto sign releases):

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2# Daniel Stenberggpg --keyserver hkps://keyserver.ubuntu.com --recv-keys DA7D64E4C82C6294CB73A20E22E3D13B5411B7CA# Brad House

For each releasec-ares-X.Y.Z.tar.gz there is a correspondingc-ares-X.Y.Z.tar.gz.asc file which contains the detached signature for therelease.

After fetching all of the possible valid signing keys and loading into yourkeychain as per the prior section, you can simply run the command below onthe downloaded package and detached signature:

% gpg -v --verify c-ares-1.29.0.tar.gz.asc c-ares-1.29.0.tar.gzgpg: enabled compatibility flags:gpg: Signature made Fri May 24 02:50:38 2024 EDTgpg:                using RSA key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2gpg: using pgp trust modelgpg: Good signature from"Daniel Stenberg <daniel@haxx.se>" [unknown]gpg: WARNING: This key is not certified with a trusted signature!gpg:          There is no indication that the signature belongs to the owner.Primary key fingerprint: 27ED EAF2 2F3A BCEB 50DB  9A12 5CC9 08FD B71E 12C2gpg: binary signature, digest algorithm SHA512, key algorithm rsa2048

This project generatesSLSA provenance for its releases! This enables you toverify the integrity of the downloaded artifacts and ensure that the release wasgenerated from the intended repository.

To verify the provenance of the release, please follow the instructionshere.

Example:

$ curl -sO https://github.com/c-ares/c-ares/releases/download/v1.34.3/c-ares-1.34.3.intoto.jsonl$ curl -sO https://github.com/c-ares/c-ares/releases/download/v1.34.3/c-ares-1.34.3.tar.gz$ slsa-verifier verify-artifact c-ares-1.34.3.tar.gz \    --provenance-path c-ares-1.34.3.intoto.jsonl \    --source-uri github.com/c-ares/c-ares \    --source-tag v1.34.3Verified signature against tlog entry index 147812470 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a9bfd5bc5181d05ada688a805f9a59cfd082dec27cb6d6567f85b7382eea39dc5Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit c29e75d54c3743783d51a609980495cf553b4bcaVerifying artifact c-ares-1.34.3.tar.gz: PASSEDPASSED: SLSA verification passed

SeeFeatures

• RFC1035.Initial/Base DNS RFC
• RFC2671,RFC6891.EDNS0 option (meta-RR)
• RFC3596.IPv6 Address.AAAA Record.
• RFC2782.Server Selection.SRV Record.
• RFC3403.Naming Authority Pointer.NAPTR Record.
• RFC6698.DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol.TLSA Record.
• RFC9460.General Purpose Service Binding, Service Binding type for use with HTTPS.SVCB andHTTPS Records.
• RFC7553.Uniform Resource Identifier.URI Record.
• RFC6844.Certification Authority Authorization.CAA Record.
• RFC2535,RFC2931.SIG0 Record. Only basic parser, not full implementation.
• RFC7873,RFC9018.DNS Cookie off-path dns poisoning and amplification mitigation.
• draft-vixie-dnsext-dns0x20-00.DNS 0x20 query name case randomization to prevent cache poisioning attacks.
• RFC7686.Reject queries for.onion domain names withNXDOMAIN.
• RFC2606,RFC6761.Special case treatment forlocalhost/.localhost.
• RFC2308,RFC9520.Negative Caching of DNS Resolution Failures.
• RFC6724.IPv6 address sorting as used byares_getaddrinfo().
• RFC7413.TCP FastOpen (TFO) for 0-RTT TCP Connection Resumption.
• RFC3986.Uniform Resource Identifier (URI). Used for server configuration.