<html><body><p>Hello Math,</p>
<p>Thank you for reporting the issues with our BIND 9 configuration
parser. We will be working on them under ticket:
<a href="https://gitlab.isc.org/isc-projects/stork/-/issues/2322" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/stork/-/issues/2322</a>.</p>
<p>Having said that could you please be more specific regarding:</p>
<pre class="moz-quote-pre"><p>"I believe the statement was not well understood even before v2.4.0, since zone transfers from Stork never worked even if the stork-agent IP (localhost) was included in the "axfr-clients" ACL."</p></pre>
<p>In particular, can you please paste what sort of errors (if any)
you're observing in such case? Any extra information will be a
great help to solve issues with zone transfers promptly. If
possible, please put your comments in the GL issue: <a href="https://gitlab.isc.org/isc-projects/stork/-/issues/2322" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/stork/-/issues/2322</a></p>
<p>Kind Regards,</p>
<p>Marcin Siodelski</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2/27/26 11:45 PM,
<a href="mailto:isc-mailing-list@secmail.8shield.net" target="_blank" rel="noopener noreferrer">isc-mailing-list@secmail.8shield.net</a> wrote:<br>
</div>
<blockquote>
<pre class="moz-quote-pre">Hello,
I upgraded Stork / Stork Agent to v2.4.0 and I encountered two bind configuration parsing issues when launching the Agent:
- support for "wildcard" in include statements, ex.:
include "/etc/bind/named.conf.d/tls/*.conf";
- supporting the "!" in access statements, ex.:
# Any address other than axfr-clients is rejected at once, but axfr-clients is
# accepted as long as the key provided matches inside-view-key,
# i.e. must match axfr-clients IP and key inside-view-key
allow-transfer { !{ !axfr-clients; any; }; key inside-view-key; };
I don't know if these are already known issues. As a work around I have included individual files instead of using wildcard.
As for the "allow-transfer", I temporarily reverted to only requiring the key. I believe the statement was not well understood even before v2.4.0, since zone transfers from Stork never worked even if the stork-agent IP (localhost) was included in the "axfr-clients" ACL.
In the past, I've used a combination of //@stork:no-parse:global, //@stork:no-parse:scope and //@stork:no-parse:end to go around the problem or make it load faster. Can someone specify what is the minimum information that the stork-agent needs from the bind configuration file for it to operate normally?
Journal log examples for both issues:
This example is from parsing: include "/etc/bind/named.conf.d/http/*.conf";
Feb 25 15:16:08 dns02.redacted.net stork-agent[338947]: time="2026-02-25 15:16:08" level="warning" msg="Failed to detect BIND 9 DNS server daemon" file=" monitor.go:427 " error="failed to configure BIND 9 daemon: failed to resolve include statements in BIND 9 config file: failed to open BIND 9 config file: /etc/bind/named.conf.d/http/*.conf: open /etc/bind/named.conf.d/http/*.conf: no such file or directory" stackTrace="open /etc/bind/named.conf.d/http/*.conf: no such file or directoryfailed to open BIND 9 config file: /etc/bind/named.conf.d/http/*.conf
isc.org/stork/daemoncfg/bind9.(*Parser).ParseFile
\t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:137
isc.org/stork/daemoncfg/bind9.(*Config).Expand
\t/builds/isc-projects/stork/backend/daemoncfg/bind9/config.go:566
isc.org/stork/agent.(*monitor).configureBind9Daemon
\t/builds/isc-projects/stork/backend/agent/bind9.go:354
isc.org/stork/agent.(*monitor).detectBind9Daemon
\t/builds/isc-projects/stork/backend/agent/bind9.go:495
isc.org/stork/agent.(*monitor).detectDaemons
\t/builds/isc-projects/stork/backend/agent/monitor.go:425
isc.org/stork/agent.(*monitor).run
\t/builds/isc-projects/stork/backend/agent/monitor.go:319
runtime.goexit
\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1693
failed to resolve include statements in BIND 9 config file
failed to configure BIND 9 daemon"
>From trying to parse: allow-transfer { !{ !axfr-clients; any; }; key inside-view-key; };
Feb 25 17:19:16 dns01.redacted.net stork-agent[347703]: time="2026-02-25 17:19:16" level="warning" msg="Failed to detect BIND 9 DNS server daemon" file=" monitor.go:427 " error="failed to configure BIND 9 daemon: failed to parse BIND 9 config file: failed to parse Bind9 config file: /etc/bind/named.conf: /etc/bind/named.conf:148:22: unexpected token \"!\" (expected \"}\")" stackTrace="/etc/bind/named.conf:148:22: unexpected token \"!\" (expected \"}\")
failed to parse Bind9 config file: /etc/bind/named.conf
isc.org/stork/daemoncfg/bind9.(*Parser).parse
\t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:112
isc.org/stork/daemoncfg/bind9.(*Parser).Parse
\t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:145
isc.org/stork/daemoncfg/bind9.(*Parser).ParseFile
\t/builds/isc-projects/stork/backend/daemoncfg/bind9/parser.go:140
isc.org/stork/agent.(*monitor).configureBind9Daemon
\t/builds/isc-projects/stork/backend/agent/bind9.go:347
isc.org/stork/agent.(*monitor).detectBind9Daemon
\t/builds/isc-projects/stork/backend/agent/bind9.go:495
isc.org/stork/agent.(*monitor).detectDaemons
\t/builds/isc-projects/stork/backend/agent/monitor.go:425
isc.org/stork/agent.(*monitor).run
\t/builds/isc-projects/stork/backend/agent/monitor.go:319
runtime.goexit
\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1693
failed to parse BIND 9 config file
failed to configure BIND 9 daemon"
Best,
Math.
</pre>
</blockquote>
</body></html>