Two small releases are out today: 4.2.4 and 4.3.3. Nothing big, mostly fixes. Some I had waiting for a while, some came from your bug reports. If you run 4.2.x, you can stay there and just swap in 4.2.4. Same for 4.3.x to 4.3.3, no migration inside the same line. But 4.3.x is now stable enough that I would use it for new installs. One thing to know: moving from 4.2.x up to 4.3.x does need a database migration, so that step is not just a file swap. PHP 8.2+ is still all you need.

One more thing first: work on 4.4.0 is still going. It is summer, so I have less time for the project right now, but it is moving. Thanks for being patient.

The project keeps growing, and it is getting harder to keep everything working well across all the ways people run it: normal database mode, API-backend mode, Docker, proxies, and so on. Sometimes a feature ships a bit too fast and the problems only show up later in specific setups. That is why your bug reports help so much, and why I like to ship fixes in small steps like these.

About the branches: next time I plan to mark 4.3.x as stable, since the API-backend work has calmed down. 4.2.x will move into maintenance mode after that. It will still get important fixes, but most of my time will go to 4.3.x and the coming 4.4.0.

🔧 4.2.4

Bugfix release for the 4.2.x line. Changes since v4.2.3:

• 🔒 OIDC and SAML URLs (OIDC redirect_uri and post-logout redirect, the SAML ACS/SLO/entityID, and the API docs base URL) are now built from the configured interface.application_url instead of the request Host header, so they can’t be altered per request. Set application_url to keep them stable.

• 🔒 Permission templates are validated on user create/update, and perm_templ can no longer be set in a way that allows self-elevation; users with broken templates are now surfaced (#1219).

• 🔒 Zone listing in both the internal API and V1 API is scoped to zones the user can actually see.

• 🔒 DNSSEC operations now require full edit permission and zone ownership.

• 🐛 SOA, NS and apex records stay pinned to the top of the record list regardless of sort column or direction (#1250).

• 🐛 LUA template records are now applied to IPv4 reverse zones, not just IPv6 (#1248).

• 🐛 Zone template sync clears stale zone_template_sync rows when a zone’s template changes (#1249), and reconciles sync for all owners of a shared zone.

• 🐛 Add-zone flow keeps reverse context when creating a reverse lookup zone (#1225).

• 🐛 Search qualifies the ORDER BY column to fix an ambiguous-column error (#1224) and sorts grouped results correctly on PostgreSQL.

• 🐛 CSV export quotes leading special characters in cells.

• 🌍 Localization fills in remaining record-add and DNS validation messages.

Drop-in replacement for v4.2.3. PHP 8.2+ required (unchanged).

🔧 4.3.3

Bugfix release for the 4.3.x line. It carries everything in 4.2.4 plus the API-backend polish that’s specific to this branch. Changes since v4.3.2:

• 🔒 Same OIDC/SAML callback-URL and permission/DNSSEC hardening as 4.2.4 above.

• 🐛 Database consistency checks are skipped when running against the PowerDNS API backend, where the local tables they inspect don’t apply (#1292).

• 🐛 Dashboard stats panel keeps working when the PowerDNS tables are unavailable.

• 🐛 SOA, NS and apex records are pinned to the top in the API-backend zone listing too (#1250).

• 🐛 Record ID column and its toggle are hidden in API mode, where the raw value isn’t meaningful (#1319).

• 🐳 Fresh Docker containers initialize the MySQL/PostgreSQL schema on first start, and can optionally initialize the PowerDNS schema for empty databases (#1307).

• 🌍 Localization translates the new API-backend consistency-check notice.

Drop-in replacement for v4.3.2. PHP 8.2+ required (unchanged).

🚧 What about 4.4.0?

The main work for 4.4.0 is done, and it is a big release. Some of the new things: PowerDNS feature detection with a UI that adapts to it, default zone templates, click-to-copy for DS and DNSKEY values, per-user settings like timezone and hostname-only display, OIDC group mapping, per-zone audit-log permissions, correct HTTP status codes on API errors, smarter search that detects IPs, and a lot of small UI cleanups in the zone and record views.

What is left is the boring part: more testing across the different setups before I tag it. You can see the full list in the v4.4.0 milestone.

🧰 Community tooling

Something nice to share: Patric has been building open-source Go tools around the Poweradmin API at Contentways:

• poweradmin-go - a Go SDK for the Poweradmin REST API.

• poweradmin-cli - a command-line tool for Poweradmin.

• poweradmin-operator - a Kubernetes operator that manages DNS zones and records through the Poweradmin API.

If you automate Poweradmin or run it in Kubernetes, these are worth a look. Thanks Patric for building and sharing them.

🙏 Thanks

Thanks to everyone who reported issues and helped track these down across the 4.2.4 and 4.3.3 milestones: @lovilak, @michielvisser, @apiersonST, @Protogen187, @stanjeptha, @Ponkhy, @pomland-94, and @WLammert. And thanks to everyone testing the 4.4.0 work in the background - it’s appreciated, summer schedules and all.

Special thanks for the responsibly-disclosed security advisories that drove the authentication and export hardening in these releases:

• Host Header Injection in the OIDC/SAML callback URLs - reported by @mike197312.

• CSV Injection in the log export endpoints - reported by Lorenzo Russo (@tienneR).

🐳 Docker tags

• :4.2.4, :4.2, :stable - the current stable tag (4.2.x for now)

• :4.3.3, :4.3 - the 4.3.x line

Links

• Full changelog 4.2.x: https://github.com/poweradmin/poweradmin/compare/v4.2.3...v4.2.4

• Full changelog 4.3.x: https://github.com/poweradmin/poweradmin/compare/v4.3.2...v4.3.3