v4.3.0 is the biggest release in the 4.x line so far. Native API-only deployments, a domainmetadata editor, log filtering and exports, hardened auth, and plenty more - see the full changelog for the complete list.

📣 Update: please use v4.3.1 instead of v4.3.0. Shortly after release, the community flagged two issues - a broken MySQL backfill query in the 4.3.0 upgrade script (#1159) and a missing-config error that wasn’t surfaced clearly (#1158). Huge thanks for the quick reports - both are fixed in v4.3.1. If you’ve already upgraded and the MySQL migration failed, re-run sql/poweradmin-mysql-update-to-4.3.0.sql from the v4.3.1 release.

Prefer to stay on the stable line? v4.2.2 remains the recommended release for production deployments that don’t need API backend mode or the other 4.3 features. It’s what the Docker stable tag points at, and it continues to receive bug and security fixes.

⚠️ Before upgrading: md5 and md5salt password hashing is no longer supported for new hashes. Existing hashes still validate, so current users can still log in. If your config has password_encryption set to md5 or md5salt, switch it to bcrypt before upgrading. Also: run the database migration script for your database before starting v4.3.0.

🌐 API backend mode

Poweradmin can now run in front of PowerDNS without direct access to its database. All DNS operations go through the PowerDNS HTTP API instead. This helps when the PowerDNS database is on a network you cannot reach, when PowerDNS is a managed or cloud service, or when you prefer API-first integration (#658).

How to enable it. New installs get a backend choice in the installer (”Database” or “API”). For existing installs, set dns.backend to api in config/settings.php and add your PowerDNS API URL and key:

return [
    'dns' => [
        'backend' => 'api',
        // ...
    ],
    'pdns_api' => [
        'url' => 'http://powerdns-server:8081',
        'key' => 'YOUR_API_KEY',
        'server_name' => 'localhost',
    ],
];

Both pdns_api.url and pdns_api.key are required - Poweradmin will refuse to run in API mode without them. In Docker, set PA_PDNS_BACKEND=api along with the API URL and key env vars.

Migration. Run the v4.3.0 database migration, add the pdns_api config, then switch dns.backend from sql to api. Your existing zone ownership, groups, and permissions are preserved. You can also revert by setting dns.backend back to sql. Full steps are in the upgrading guide and PowerDNS API configuration docs.

This mode needs community testing. It is a big change that affects how Poweradmin reads and writes data. I ran smoke tests, but there are many zone types, record types, permissions, and edge cases, so I cannot promise every case is covered. Big changes like this often have rough spots that only show up in real use. Please do not switch to API mode in production before trying it on a separate test instance, ideally with test data or a copy of your zones. Try the features you use most. If you find anything wrong, file an issue on GitHub with steps to reproduce it - community reports are the fastest way to make this stable.

Expect some slowdown. Every read and write in API mode makes one or more HTTP calls to PowerDNS, instead of a single SQL query. Pages that load many zones or records (dashboard, search, bulk operations) will be slower because they depend on PowerDNS API response time. Classic SQL mode is unchanged and still the default - only switch if you have a reason to.

📁 Zone metadata editor

A first-class editor for PowerDNS domainmetadata (#1117). Select from known kinds with inline guidance, enter custom kinds when needed, and manage multi-value kinds such as ALLOW-AXFR-FROM one row at a time. A read-only view is available for users without edit rights. Full API v2 CRUD is available at /v2/zones/{id}/metadata. SOA-EDIT-API is handled specially in API mode - surfaced from zone properties, editable inline, and removal propagated correctly.

📊 Audit logging and log pages

The AuditService now records structured events across user management, zone ownership, templates, DNSSEC, MFA, API keys, OIDC/SAML authentication (#1109), failed permission checks, and all API v2 operations. Every log page has been upgraded with filters (operation/event type, user, group, date range), CSV and JSON export with confirmation modal, a details modal with one-click copy, and client IP + auth method visible across all views. A dedicated API Logs page surfaces API-key events.

🔐 SSO permission template mapping

Running Poweradmin behind OIDC or SAML becomes easier:

• Permission template source tracked per user so external identity provider changes can revoke stale SSO mappings (#1095)

• New env vars for SSO permission template and group mappings (#1091)

• default_permission_template only applies to new SSO users, leaving existing users untouched (#1092)

• auth_method preserved when editing OIDC/SAML users (#1064)

🐳 Docker

• PA_PDNS_BACKEND selects SQL or API mode

• PA_TRUSTED_CA_FILE mounts custom CA certificates (#1065)

• PA_TRUSTED_PROXIES for real client IP behind reverse proxies (#1134)

• Env var support for module configuration (#1084)

• dns_wizards and email_previews togglable via env vars (#1116)

• Rootless container mode; port 80 binding restored in root mode (#1118)

🌍 DNS & content

• Custom TLD-to-server mapping for WHOIS and RDAP, with .za added (#1138)

• IDN/punycode support for record names and content, incl. HTTPS, SVCB, and LP (#1090)

• IPv6 batch PTR with correct nibble expansion (#1110)

• Selective zone template update instead of full replace

🛡️ Security hardening

• md5 and md5salt hashing removed for new passwords (existing hashes still validate)

• Default bcrypt cost bumped to 12

• CSRF validation required for API key toggle

• IpAddressRetriever hardened - X-Real-IP support, proxy headers matching REMOTE_ADDR skipped, parsing bugs fixed (#1134)

• API v1 formally deprecated with Sunset date announced via header and OpenAPI notice (#1146) - please migrate to v2

✨ Small touches

• Globe language switcher on the login page

• disabled field respected in bulk record CSV import

• Details modal with copy across log views

📦 Upgrading

• Back up your database before upgrading - 4.3.0 adds audit log tables and introduces the zone metadata schema

• Run the database migration for your database type before starting the new version:

  • sql/poweradmin-mysql-update-to-4.3.0.sql

  • sql/poweradmin-pgsql-update-to-4.3.0.sql

  • sql/poweradmin-sqlite-update-to-4.3.0.sql

• PHP 8.2+ required (unchanged); tested on 8.2 through 8.5

• PowerDNS 4.0+ through 5.x works as before; API backend mode requires the PowerDNS HTTP API enabled

• Docker: poweradmin/poweradmin:4.3.1 (or :4.3 for automatic patch updates). The stable tag still tracks the 4.2.x series (currently 4.2.2) - opt in to 4.3.x explicitly

• Full step-by-step guide in the v4.3.0 upgrading docs

Thanks to everyone who filed issues, tested, and contributed.