---
title: Release notes 2.5.0
---
# Stork 2.5.0 Release Notes, June 3, 2026

Welcome to Stork 2.5.0, a development release in the 2.5 series. The
changes introduced in this version are:

1. **Lease tracking**: This Stork release introduces a mechanism that
enables inspection of leases. If enabled, the agents glean lease
information from the lease files of any detected Kea instances and
stream that information to the server. The server then provides a
searchable database of all the leases of all monitored servers. The
interface can be sorted, filtered, and searched. Lease tracking
currently supports only the memfile backend; this is the first release
of a complex feature. Feedback is appreciated [#2058, #2059].

2. **OpenID Connect (OIDC)**: This Stork release introduces an optional
authentication mechanism. If configured, the server, as a Relying Party,
can use external OpenID providers to offload authentication duties. This
allows easy integration with various Single Sign-On (SSO) solutions.
Another major benefit is that external OIDC can be configured to require
multi-factor authentication. This is another complex feature with many
external variables, so feedback and deployment reports are appreciated
[#2437, #2455, #2457, #2463, #2465, #2473, #2480]. The OIDC support was
documented [#2485]. Also, the login page was tweaked. The last-used
sign-in method is now remembered [#2336]. Internal authentication method
labels were unified with other methods [#2335].

3. **Kea config backend**: As part of a larger initiative to extend
Stork to support the Kea Configuration Backend (CB) mechanism, Stork was
extended in various ways. This release introduces several framework
changes [#2419] and the ability to add a subnet to CB, if the hook is
loaded [#2424]. The CB hook was added to the demo [#2416] and to system
tests [#2417]. The Stork server now shows the Kea server tag, if it was
set. This is useful for distinguishing between servers if multiple
instances share the same CB database [#2419]. The CB is complex and the
whole CB functionality will be implemented across many releases.

4. **Zone transfer monitoring**: There is work in progress to develop a
zone-transfer monitoring mechanism for BIND 9. While the whole
functionality is not yet available, the first essential building block
has been implemented. The Stork agent is able to parse BIND 9 logs using
different technologies (systemd log reader [#2389], text log file reader
[#2388]), depending on the BIND 9 configuration. It detects and collects
information about zone-transfer starts and completions. The information
is not used yet, but in future releases Stork will aggregate that data
from the monitored agents to monitor current, completed, and failed zone
transfers, together with appropriate statistics. In the current release,
the Stork agent is able to understand the directory option in a BIND 9
config file to resolve relative paths [#2460]. The XFR monitor was
implemented [#2393]. Stork is now able to detect BIND 9 zone-transfer
logging destinations [#2444]. Object and parameter passing is now more
flexible [#2387]. The log tracker is now instantiated for detected BIND
9 instances [#2392]. The log tracker for zone transfers was implemented
[#2391]. We fixed a bug where the Stork agent was failing to parse the
CLI flags when the path to the binary contained the name of the binary,
e.g. /var/lib/named/sbin/named [#2374].

5. **Security**: To better cope with the recent increased number of
vulnerabilities being reported, Stork team is experimenting with weekly
dependency updates [#2469, #2445, #2454]. The audit target in Rake was
expanded to also check for vulnerabilities in the LDAP hook and
optionally omit developer-only dependencies [#2428]. We implemented
enhanced protection against a Path Traversal attack in the REST API
[#2309]. The previously unconditional requirement to exclusively use TLS
version 1.3 when connecting to the Stork server database can now be
relaxed. The `--db-tls-1-2-enabled` flag and its corresponding
`STORK_DATABASE_TLS_1_2_ENABLED` environment variable allow the Stork
server to also negotiate TLS 1.2 database connections [#2319].

6. **UI changes**: The Zone RR viewer now has more compact and improved
filtering [#2282]. The shared network columns no longer overlap on the
dashboard [#2385]. 

7. **Build improvements**: We removed an obsolete version parameter from
Docker-compose files [#2429]. We fixed the authentication-methods
directory permissions in packaging scripts. [#1621]. The check against
Java runtime version is now more explicit (11 or later required) and
documented [#1300]. We bumped the go-swagger version to 0.33.2, which
fixed build problems on OpenBSD 7.8, among other things [#2111]. The
default hook directory path is now relative to the binary location
rather than an absolute path [#1699]. Some dependencies were updated; in
particular, Angular and PrimeNG were updated to 20 [#2297]. Stork has
been historically developed with the monorepo philosophy: the production
source code of Stork itself, as well as all related files, such as
tests, packages, demo files, and others were kept in the same
repository. This was adequate when Stork was small, but with the project
growing in size and scope that is no longer maintainable. Two major pain
points were the build system complexity and dependencies that were
increasingly hard to manage. As such, we are in the process of
separating some files into different repositories. The first step is to
move the system tests to a new repository. The new repository is
available at https://gitlab.isc.org/isc-projects/stork-tests.

8. **Bug fixes**: We fixed a problem where the Stork agent created
duplicate Unix socket access points for Kea 3.x [#2318]. We fixed a
panic in the LDAP code, when a user who logged in previously had their
DN name changed [#2303]. The Stork agent can now properly detect
`kea-dhcp-ddns` daemons [#2433]. We fixed a problem where Kea's
configuration file was missing the control-socket structure [#2403].
Stork no longer drops unknown parameters from the Kea configuration
[#2328]. The Stork agent can now detect Kea daemons started with a
relative executable path [#2289]. We decreased the logging level for
messages when the server is unable to find a subnet reported in a Kea
statistics response [#2382]. We fixed a bug where the Stork agent could
sometimes kick off multiple state pullers, resulting in duplicate
daemons [#583]. We fixed a problem with database migration if the schema
had applications without any daemons [#2317].

9. **Tests**: A problem with environment variables was fixed in several
unit-tests, when running in a containerized environment [#2482]. We
added `pytest-playwright` to pytest dependencies [#2438]. We tweaked the
test timeouts, so that fast developer machines get deadlock reports
promptly, while the CI jobs have a little bit more time to complete slow
tests [#2430, #2478]. It's now easier to get code coverage information
when running only some of the tests [#2432]. The default Storybook
plugins were re-enabled [#1292]. CI caching is now implemented [#1694,
#2168, #2277]. The build system is now more lenient if it was unable to
install Chrome using Playwright [#2248].

10. **Common command-line library**: Stork now verifies the environment
variables provided and prints descriptive feedback if a variable is not
recognized or deprecated. All three components (`stork-server`,
`stork-agent`, `stork-tool`) use the same framework to handle
command-line options and environment variables [#1587].

Please see this link for known issues:
https://gitlab.isc.org/isc-projects/stork/-/wikis/Known-issues.

## Incompatible Changes

1. Starting with the 2.5.0 release, the hook path is relative, not
absolute as it was in earlier releases. If you are using non-standard
installation paths, you should update your custom hook directory. This
should not affect users who use hooks in the default locations.

2. A new configuration option,
`STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_UNIQUE_IDENTIFIER`, was added
in the LDAP hook, where Stork administrators may set the LDAP
operational attribute that holds a unique and immutable identifier for
the user. The option defaults to `entryUUID`. For LDAP server
implementations that do not support this operational attribute, the
setting should be fine-tuned (e.g., `objectGUID` for Microsoft AD or
`uniqueidentifier`).

3. The database schema was updated.

## Release Model

Stork has bi-monthly development releases.

We encourage users to test the development releases and report back
their findings on the stork-users mailing list, available at
https://lists.isc.org/mailman/listinfo/stork-users, or report bugs at
https://gitlab.isc.org/isc-projects/stork/-/issues/.

This text references issue numbers. For more details, visit the Stork
GitLab page at https://gitlab.isc.org/isc-projects/stork/-/issues.

## License

Stork is released under the Mozilla Public License, version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

## Download

The easiest way to install the software is to use native Alpine, deb, or
RPM packages. They can be downloaded from:

https://cloudsmith.io/~isc/repos/stork/

The Stork source and PGP signature for this release may be downloaded
from:

https://downloads.isc.org/isc/stork

The signature was generated with the ISC code-signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides documentation in the Stork Administrator Reference Manual
(ARM). It is available on ReadTheDocs.io at
https://stork.readthedocs.io/en/latest/, and in source form in [the doc/
directory](https://gitlab.isc.org/isc-projects/stork/-/tree/master/doc).

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the stork-users mailing list
(https://lists.isc.org/mailman/listinfo/stork-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Stork GitLab project for bugs, documentation omissions
and errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/mailinglists/. If you have any comments or questions
about working with Stork, please share them to the stork-users list
(https://lists.isc.org/mailman/listinfo/stork-users). Bugs and feature
requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/stork/issues.

## Changes

The following summarizes changes and important upgrades since the
previous Stork release.

* 651 [doc] piotrek

    Added a brief documentation section in ARM for OpenID Connect
    authentication in Stork.
    (Gitlab #2485)

* 650 [bug] slawek

    Fixed a bug that could cause the server to panic during user
    authentication via LDAP. Authentication could be rejected if the
    user's Distinguished Name differed from the value known to the Stork
    server.
    (Gitlab #2303)

* 649 [func] william

    The Stork server now has a user interface for displaying leases
    which it collected from Kea.  See DHCP > Leases List.
    (Gitlab #2059)

* 648 [func] piotrek

    Added support for OpenID Connect external authentication to Stork
    server.
    (Gitlab #2455, #2457, #2463, #2465, #2473, #2480)

* 647 [build] marcin

    Updated backend, UI, python and ruby dependencies.
    (Gitlab #2469)

* 646 [func] marcin

    Stork agent uses the BIND 9 directory option to determine
    absolute paths to the log files where DNS zone transfers
    are logged.
    (Gitlab #2460)

* 645 [func] slawek

    Support for creating subnets in the Config Backend database.
    (Gitlab #2424)

* 644 [func] marcin

    Implemented zone transfers monitoring in the agent. The agent
    now collects the information about ongoing and completed zone
    transfers, and holds it in memory. Since there is no gRPC API
    to retrieve the zone transfer information from the agent, the
    information is not yet available to the server. The API and the
    necessary Stork server updates will be implemented in the future
    GL issues.
    (Gitlab #2393)

* 643 [build] piotrek

    Updated dependencies including Go 1.25.10, and several
    JavaScript and Python packages.
    (Gitlab #2454)

* 642 [bug] slawek

    Fixed the authentication-methods directory permissions in
    packaging scripts. The stork-server process could not write
    LDAP hook icons because the directory was owned by root after
    package installation. Added mkdir and chown in all post-install
    scripts and os.MkdirAll in Go code as defense-in-depth.
    (Gitlab #1621)

* 641 [func] marcin

    Stork agent parses BIND 9 logging configuration to determine
    the log files where zone transfer events are logged. The zone
    transfers are tracked in these files when zone transfer tracking
    is enabled using the --enable-xfr-tracking parameter. Still, it
    is possible to specify alternate file locations by explicitly
    setting the --xfr-in-tracking-path and --xfr-out-tracking-path
    command line arguments of the Stork agent.
    (Gitlab #2444)

* 640 [func] slawek

    Added verification of the environment variables provided by a shell
    and in the environment file to print a descriptive feedback in case
    of a typo or using a deprecated variable.
    (Gitlab #1587)

* 639 [ui] slawek

    Display the Kea daemon's server tag on the daemon page.
    (Gitlab #2420)

* 638 [func] marcin

    Added new parameters to the Stork agent enabling zone transfer
    monitoring in the explicitly specified files or systemd logs.
    The captured logs are not yet interpreted.
    (Gitlab #2392)

* 637 [func] slawek

    Added a new container to the demo that runs Kea DHCPv4 server
    with the Config Backend (cb_cmds) hook.
    (Gitlab #2416)

* 636 [func] marcin

    Implemented log tracker in the Stork agent. It will be used to
    monitor BIND 9 logs to capture the zone transfer events. However,
    as a generic solution, it can be used in the future for tracking
    any kind of events logged in the files or systemd logs.
    (Gitlab #2391)

* 635 [func] slawek

    The Stork server now extracts the server tag from the Kea
    DHCP daemon configuration and stores it in the database. It is the
    backbone of the Kea Config Backend support.
    (Gitlab #2419)

* 634 [build] piotrek

    Updated dependencies including Go 1.25.9, and several
    JavaScript, Python, Ruby and Go packages.
    (Gitlab #2445)

* 633 [bug] marcin

    Fixed detection and monitoring of the kea-dhcp-ddns process.
    (Gitlab #2433)

* 632 [func] william

    The Stork server now collects leases from the agents and stores them
    in the Stork server database. They will be displayed by UI added in
    a later change.
    (Gitlab #2058)

* 631 [build] andrei

    Go Swagger version was bumped up to v0.33.2.
    (Gitlab #2111)

* 630 [func] piotrek

    Zone RRs viewer filtering panel was changed to compact style to
    match other filtering panels in Stork UI.
    (Gitlab #2282)

* 629 [ui] slawek

    Fixed long shared network names overlapping adjacent columns
    on the Dashboard. Names are now truncated with an ellipsis and
    expand to the full text on hover.
    (Gitlab #2385)

* 628 [sec] slawek

    Enhanced protection against Path Traversal attack in RestAPI.
    (Gitlab #2309)

* 627 [bug] slawek

    Fixed the Stork server crash when the monitored daemon had no
    control sockets specified.
    (Gitlab #2403)

* 626 [bug] marcin

    Stork no longer erases Kea configuration parameters it does not
    recognize when it updates Kea configuration. This is important
    when Stork version is behind Kea version, and new parameters
    were introduced to Kea.
    (Gitlab #2328)

* 625 [func] marcin

    Implemented systemd logs reader and watcher using journalctl.
    It will be used to monitor BIND9 logs to capture zone transfer
    events.
    (Gitlab #2389)

* 624 [bug] slawek

    Fixed Kea, BIND 9, and PowerDNS detection failing to parse the CLI
    flags when the path to the binary contained a directory named same
    as the binary (e.g., /var/lib/named/sbin/named).
    (Gitlab #2374)

* 623 [bug] andrei

    The agent can now detect Kea daemons started with a relative
    executable path; previously, it tried to guess that the
    executable would be located in the current working directory
    from which the process was started.
    (Gitlab #2289)

* 622 [func] ! slawek

    The default hook directory path is now relative to the binary
    location rather than an absolute path. The hook directory is created
    during the package installation if it doesn't exist.
    (Gitlab #1699)

* 621 [func] marcin

    Implemented log file reader and watcher, working similar to the
    tail -f. It will be used to monitor BIND9 log files to capture
    zone transfer events.
    (Gitlab #2388)

* 620 [bug] slawek

    Decreased the logging level for a message produced when it is unable
    to find a subnet reported in the Kea statistics response to prevent
    bloating the logs if the stale subnets are included.
    (Gitlab #2382)

* 619 [func] slawek

    Added the --db-tls-1-2-enabled flag (STORK_DATABASE_TLS_1_2_ENABLED
    environment variable) to allow lowering the minimum TLS version for
    database connections from 1.3 to 1.2.
    (Gitlab #2319)

* 618 [bug] slawek

    Fixed a hole that allowed pulling the same agent state many times
    concurrently, which could result in duplicating daemons.
    (Gitlab #583)

* 617 [build] piotrek

    Updated frontend dependencies including Angular 20 and PrimeNG 20.
    Development dependency Storybook was updated to version 10.2.
    (Gitlab #2297)

* 616 [bug] slawek

    Fixed a database migration failure for the application with no
    daemons.
    (Gitlab #2317)



Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.