[stork-users] Stork-Agent issue parsing bind9 conf

Marcin Siodelski marcin at isc.org
Tue Mar 3 09:26:40 UTC 2026 

Hello Math, 

Thank you for reporting the issues with our BIND 9 configuration parser. We will be working on them under ticket: https://gitlab.isc.org/isc-projects/stork/-/issues/2322. 

Having said that could you please be more specific regarding: 
"I believe the statement was not well understood even before v2.4.0, since zone transfers from Stork never worked even if the stork-agent IP (localhost) was included in the "axfr-clients" ACL." 

In particular, can you please paste what sort of errors (if any) you're observing in such case? Any extra information will be a great help to solve issues with zone transfers promptly. If possible, please put your comments in the GL issue: https://gitlab.isc.org/isc-projects/stork/-/issues/2322 

Kind Regards, 

Marcin Siodelski 


  
On 2/27/26 11:45 PM, isc-mailing-list at secmail.8shield.net wrote:
  
 Hello, I upgraded Stork / Stork Agent to v2.4.0 and I encountered two bind configuration parsing issues when launching the Agent: - support for "wildcard" in include statements, ex.: include "/etc/bind/named.conf.d/tls/*.conf"; - supporting the "!" in access statements, ex.: # Any address other than axfr-clients is rejected at once, but axfr-clients is # accepted as long as the key provided matches inside-view-key, # i.e. must match axfr-clients IP and key inside-view-key allow-transfer { !{ !axfr-clients; any; }; key inside-view-key; }; I don't know if these are already known issues.  As a work around I have included individual files instead of using wildcard. As for the "allow-transfer", I temporarily reverted to only requiring the key.  I believe the statement was not well understood even before v2.4.0, since zone transfers from Stork never worked even if the stork-agent IP (localhost) was included in the "axfr-clients" ACL. In the past, I've used a combination of //@stork:no-parse:global, //@stork:no-parse:scope and //@stork:no-parse:end to go around the problem or make it load faster.  Can someone specify what is the minimum information that the stork-agent needs from the bind configuration file for it to operate normally? Journal log examples for both issues: This example is from parsing: include "/etc/bind/named.conf.d/http/*.conf"; Feb 25 15:16:08 dns02.redacted.net stork-agent[338947]: time="2026-02-25 15:16:08" level="warning" msg="Failed to detect BIND 9 DNS server daemon" file="          monitor.go:427  " error="failed to configure BIND 9 daemon: failed to resolve include statements in BIND 9 config file: failed to open BIND 9 config file: /etc/bind/named.conf.d/http/*.conf: open /etc/bind/named.conf.d/http/*.conf: no such file or directory" stackTrace="open /etc/bind/named.conf.d/http/*.conf: no such file or directoryfailed to open BIND 9 config file: /etc/bind/named.conf.d/http/*.conf isc.org/stork/daemoncfg/bind9.(*Parser).ParseFile \t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:137 isc.org/stork/daemoncfg/bind9.(*Config).Expand \t/builds/isc-projects/stork/backend/daemoncfg/bind9/config.go:566 isc.org/stork/agent.(*monitor).configureBind9Daemon \t/builds/isc-projects/stork/backend/agent/bind9.go:354 isc.org/stork/agent.(*monitor).detectBind9Daemon \t/builds/isc-projects/stork/backend/agent/bind9.go:495 isc.org/stork/agent.(*monitor).detectDaemons \t/builds/isc-projects/stork/backend/agent/monitor.go:425 isc.org/stork/agent.(*monitor).run \t/builds/isc-projects/stork/backend/agent/monitor.go:319 runtime.goexit \t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1693 failed to resolve include statements in BIND 9 config file failed to configure BIND 9 daemon" From trying to parse: allow-transfer { !{ !axfr-clients; any; }; key inside-view-key; }; Feb 25 17:19:16 dns01.redacted.net stork-agent[347703]: time="2026-02-25 17:19:16" level="warning" msg="Failed to detect BIND 9 DNS server daemon" file="          monitor.go:427  " error="failed to configure BIND 9 daemon: failed to parse BIND 9 config file: failed to parse Bind9 config file: /etc/bind/named.conf: /etc/bind/named.conf:148:22: unexpected token \"!\" (expected \"}\")" stackTrace="/etc/bind/named.conf:148:22: unexpected token \"!\" (expected \"}\") failed to parse Bind9 config file: /etc/bind/named.conf isc.org/stork/daemoncfg/bind9.(*Parser).parse \t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:112 isc.org/stork/daemoncfg/bind9.(*Parser).Parse \t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:145 isc.org/stork/daemoncfg/bind9.(*Parser).ParseFile \t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:140 isc.org/stork/agent.(*monitor).configureBind9Daemon \t/builds/isc-projects/stork/backend/agent/bind9.go:347 isc.org/stork/agent.(*monitor).detectBind9Daemon \t/builds/isc-projects/stork/backend/agent/bind9.go:495 isc.org/stork/agent.(*monitor).detectDaemons \t/builds/isc-projects/stork/backend/agent/monitor.go:425 isc.org/stork/agent.(*monitor).run \t/builds/isc-projects/stork/backend/agent/monitor.go:319 runtime.goexit \t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1693 failed to parse BIND 9 config file failed to configure BIND 9 daemon" Best, Math.   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/stork-users/attachments/20260303/ab9d4598/attachment.htm>

More information about the Stork-users mailing list