# Stork 2.3.2 Release Notes, December 10, 2025

Welcome to Stork 2.3.2, a development release in the 2.3 series. The
changes introduced in this version are:

1. **Experimental support for Direct API**: The Kea Control Agent (CA)
is deprecated as of Kea 3.0; it is now possible to run Kea in a mode
where the DHCP daemons receive commands directly. This Stork version
introduces experimental support for this mode of operation. The code has
undergone a massive refactoring to be able to support both CA and Direct
API deployments, and we would like to stress that the support is
currently experimental. One known limitation is that Stork no longer
makes a distinction between a server that is down and one that has been
removed, meaning that DHCP daemons that are down are removed from
Stork's list; they will be detected and added back when the daemon is up
and running again. This limitation is expected to be addressed in future
releases; please use Direct API with caution and share your experience
[#1835]. We fixed a problem where the Stork agent was not able to detect
a Kea instance when the control agent was bound to an IPv6 address
[#2092]. System tests for Direct API were implemented [#2133].

2. **Sortable tables**: The Stork UI presents a lot of information in
the form of tables, and this release introduces the ability to sort
those tables by clicking on the header [#1893, #1900, #2076, #2117].

3. **Security**: We fixed a problem with a potential remote denial of
monitoring in the Kea Prometheus exporter. Previously, the exporter
could stop working after receiving statistics from Kea with a malformed
subnet, pool, or prefix pool ID. In addition, the exporter could stop
working after receiving pool-level statistics at the subnet level
[#2155, STO-01-002]. We added HTTP security headers to all Stork server
HTTP responses, and these headers were enabled in the demo and example
nginx and Apache reverse proxy configurations [#2153, STO-01-007]. We
fixed a non-exploitable SQL injection in the Stork tool command when
creating a database [#2137, STO-01-003]. The number of tokens in a
single line of the PowerDNS configuration is now limited to 500, to
prevent attempts to parse malformed configurations and excessive use of
memory during parsing [#2131, STO-01-009]. The maximum size of the
PowerDNS parser buffer is 16KB, and the initial buffer size is 512B.
This is aimed at reducing memory usage during PowerDNS configuration
parsing [#2132, STO-01-010]. A potential panic is now prevented while
merging Kea configurations when saving an updated configuration [#2130,
STO-01-012]. We addressed an issue in the Stork server whereby the
server could panic as a result of receiving and parsing an empty DNS RR
from the monitored DNS server over AXFR [#2129, STO-01-011]. We changed
the way the Kea daemon version information is displayed in the UI, to
prevent the possibility of an HTTP injection attack [#2152, STO-01-004].
These issues were found via an external security audit by 7ASecurity,
and the 'STO-*' codes refer to that report. The full report will be
published in January, 2026.

4. **Lease tracking**: There is work in progress to develop lease
tracking and inspection capabilities in Stork. While the whole solution
is not yet functional, we have implemented an important step of the
upcoming solution: the Stork agent can now detect the lease file
location and is able to parse its contents. Unfortunately, the
information gleaned is not used in any way yet, but we would appreciate
user feedback about any problems, such as the Stork agent complaining
about the lease file not being parseable, being inaccessible, slowing
down considerably, running out of memory, or any similar issues [#2055].

5. **DNS improvements**: The BIND 9 configuration and RNDC key files can
now be viewed via the Stork UI [#1634]. The built-in zones are now
hidden by default [#2118]. We fixed error handling in two gRPC streaming
calls, one for receiving zone contents from the agent, and another for
receiving BIND 9 configurations. The errors are now correctly
interpreted in the Stork server [#2157]. We fixed an issue with slow
loading of the dialog box displaying the zone RRs. The new solution
should significantly improve the dialog box loading time on all browsers
[#2096]. The mirror of the root zone can now be shown in the UI [#2072].
We fixed a problem where the zone viewer might display a debug message
that was not intended for users [#2071].

6. **Build improvements**: We updated many Stork dependencies, including
Go 1.25.5, Angular, and Grafana, and several JavaScript, Python, Ruby,
and Go packages [#2148]. We fixed a build problem with the recently
released Python 3.14 [#2110]. We updated the list of available Kea
versions in versions.json [#2054]. The Swagger UI is no longer included
in the JavaScript bundle, which makes the bundle smaller by 3MB and
improves the initial loading time [#2030]. The bump-up of the software
versions available is now automated. That means the release cycle is a
bit smoother and less error-prone [#1570].

7. **Demo**: We fixed a minor problem where the kea-large container in
the demo sometimes failed to start [#2103]. We fixed a problem with HA
containers in the demo failing to start [#2066]. The PostgreSQL version
used in the demo was updated to version 18 [#2028]. We added one
intentionally conflicted host reservation to the demo to showcase
conflict detection [#2080]. To ensure backward compatibility, the Stork
demo now includes an older (2.6.x) Kea on one of its example containers
[#2139]. We fixed a problem with a traffic simulator not being able to
generate traffic to some subnets [#2070]. We fixed the traffic simulator
to now properly display servers on the DNS tab [#2081].

8. **Bug fixes**: We fixed a problem with handling comments in an
extended JSON configuration in Kea. Two problematic cases were
addressed: the first is a comment that has unbalanced quotes, and the
second is about having two consecutive lines with quotes on them
commented out [#2134]. We refactored error logging to log error messages
and error stack traces in separate fields and ensure the error log entry
is a single line [#1622]. The shared networks table no longer displays
zero values in columns with Prefix Delegation statistics for IPv4
networks [#2104]. Host migration is now more informative when attempting
to migrate hosts on a previous (older than 2.3.8) Kea version [#2034].
We fixed a bug preventing users from opening an edit form for a host
reservation if it included any delegated prefix. Thanks to Benjamin
Solenthaler for the patch [#2038]. We fixed the UI reporting versions to
sometimes show security release-related messages as warnings, not errors
[#2048].

9. **Documentation**: The documentation for LDAP configuration has been
updated [#1809].

10. **Test improvements**: We updated the pkgs-compose image, which was
affecting several system tests [#2128]. We merged system tests for an
older CVE-2025-8696 [#2045]. We fixed one system test that failed due to
an incorrect type comparison [#2085]. The Playwright test code was
updated to no longer require Selenium [#2090]. We fixed several problems
with the CodeQL pipeline [#2064, #2065]. We improved one test for a
`notify-source` fix that was included in an earlier release [#2013]. UI
tests for machines [#2049], login [#2006], and user management [#2022]
were developed. 

Please see this link for known issues:
https://gitlab.isc.org/isc-projects/stork/-/wikis/Known-issues.

## Incompatible Changes

The changes required to support Direct API while still retaining support
for deployments with CA are substantial, and it is no longer possible to
downgrade the database from 2.3.2 to an earlier version. It is a Really
Good Idea to back up your database before performing any upgrade. This
time it's not just a boilerplate warning. We really do mean it.

## Release Model

Stork has bi-monthly development releases.

We encourage users to test the development releases and report back
their findings on the stork-users mailing list, available at
https://lists.isc.org/mailman/listinfo/stork-users, or report bugs at
https://gitlab.isc.org/isc-projects/stork/-/issues/.

This text references issue numbers. For more details, visit the Stork
GitLab page at https://gitlab.isc.org/isc-projects/stork/-/issues.

## License

Stork is released under the Mozilla Public License, version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

## Download

The easiest way to install the software is to use native Alpine, deb, or
RPM packages. They can be downloaded from:

https://cloudsmith.io/~isc/repos/stork/

The Stork source and PGP signature for this release may be downloaded
from:

https://downloads.isc.org/isc/stork

The signature was generated with the ISC code-signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides documentation in the Stork Administrator Reference Manual
(ARM). It is available on ReadTheDocs.io at
https://stork.readthedocs.io/en/latest/, and in source form in [the doc/
directory](https://gitlab.isc.org/isc-projects/stork/-/tree/master/doc).

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the stork-users mailing list
(https://lists.isc.org/mailman/listinfo/stork-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Stork GitLab project for bugs, documentation omissions
and errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/mailinglists/. If you have any comments or questions
about working with Stork, please share them to the stork-users list
(https://lists.isc.org/mailman/listinfo/stork-users). Bugs and feature
requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/stork/issues.

## Changes

The following summarizes changes and important upgrades since the
previous Stork release.

* 587 [func] piotrek

    Enabled tables sorting in Stork UI. Now most of the table views can
    be sorted by clicking on a column header.
    (Gitlab #1893)

* 586 [build] slawek

    Updated dependencies including the Go 1.25.5, Angular,
    Grafana (in demo) and several JavaScript, Python, Ruby and Go
    packages.
    (Gitlab #2148)

* 585 [bug] marcin

    Fixed error handling in two gRPC streaming calls, one for
    receiving zone contents from the agent, and another one
    for receiving BIND 9 configuration. The errors are now
    correctly interpreted in the Stork server.
    (Gitlab #2157)

* 584 [func] marcin

    Builtin DNS zones are no longer listed by default.
    (Gitlab #2118)

* 583 [bug] slawek

    Fixed a bug preventing Stork from reading Kea configuration with
    comments that included quotes. Added support for trailing commas
    in the Kea configuration files.
    (Gitlab #2134)

* 582 [bug] marcin

    Address a potential remote denial of monitoring in the Kea
    Prometheus exporter. The exporter could stop working after
    receiving statistics from Kea with malformed subnet, pool
    or prefix pool ID. In addition, the exporter could stop
    working after receiving pool-level statistic at the subnet
    level.
    (Gitlab #2155)

* 581 [func] slawek

    Refactored error logging to log error message and error stack trace
    in separate fields and ensure the error log entry is single-line.
    (Gitlab #1622)

* 580 [bug] lucaspetrino, slawek

    Fixed a problem that the Stork agent was not able to detect kea when
    the control agent binds to an IPv6 address.
    (Gitlab #2092)

* 579 [sec] piotrek

    Added HTTP security headers to all Stork server HTTP responses.
    The same headers were enabled in the demo and example nginx and
    Apache reverse proxy configurations.
    (Gitlab #2153)

* 578 [sec] piotrek

    Changed the way the Kea daemon version information is displayed
    in the UI. This prevents the possibility of an HTTP injection
    attack.
    (Gitlab #2152)

* 577 [func] marcin

    Implemented BIND 9 server configuration and rndc key files preview
    in the dialog boxes.
    (Gitlab #1634)

* 576 [func] ! slawek

    Support for monitoring Kea daemons directly without an intermediate
    Kea Control Agent (direct Kea API). Implemented communication via
    HTTP endpoint and sockets.
    (Gitlab #1835)

* 575 [bug] slawek

    Fixed non-exploitable SQL injection in the Stork tool command
    creating a database.
    (Gitlab #2137)

* 574 [bug] marcin

    Fix an issue with slow loading of the dialog box displaying
    the zone RRs. The issue was initially observed on Safari, with
    loading times reaching tens of seconds. However, it could also
    take several seconds on other browsers. The new solution uses
    a virtual scroller. It significantly improves the dialog box
    loading time on all browsers.
    (Gitlab #2096)

* 573 [func] piotrek

    Shared networks table will no longer display zero values in
    columns with Prefix Delegation statistics for IPv4 networks.
    (Gitlab #2104)

* 572 [func] marcin

    Limit the number of tokens in a single line of the PowerDNS
    configuration to 500. It prevents attempts to parse malformed
    configurations and excessive use of memory during parsing.
    (Gitlab #2131)

* 571 [bug] marcin

    Maximum size of the PowerDNS parser buffer is 16kB. The initial
    buffer size is 512B. It is aimed at reducing the memory usage
    during PowerDNS configuration parsing.
    (Gitlab #2132)

* 570 [bug] marcin

    Prevent potential panic while merging Kea configurations when
    saving updated configuration.
    (Gitlab #2130)

* 569 [bug] marcin

    Addressed an issue in the Stork server whereby the server could
    panic as a result of receiving and parsing an empty DNS RR
    from the monitored DNS server over AXFR.
    (Gitlab #2129)

* 568 [bug] slawek

    The host migrator verifies the Kea version now and produces a
    descriptive error if it is unsupported.
    (Gitlab #2034)

* 567 [bug] besole, slawek

    Fixed a bug preventing users from opening an edit form for a host
    reservation if it included any delegated prefix.
    (Gitlab #2038)

* 566 [bug] marcin

    Prevent ignoring errors while getting server and traffic statistics
    from the BIND 9 server.
    (Gitlab #2065)

* 565 [bug] marcin

    Improved error reporting when closing some files fails.
    (Gitlab #2064)

* 564 [func] marcin

    Enable showing mirror zones in the UI.
    (Gitlab #2072)

* 563 [bug] marcin

    Fix listing DNS servers in the traffic simulator. Previously,
    BIND 9 servers were not listed when other apps were authorized.
    Now, both BIND 9 and PowerDNS servers are correctly listed in
    the simulator.
    (Gitlab #2081)


Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.