Changelog

Build 043

Changed

• Single-resource mutations return the bare object. POST /api/v1/zones, POST /api/v1/records, PUT /api/v1/records/:id, and the deleted-record restore endpoint no longer wrap the payload in {"zone":…} or {"record":…} — the response body is the bare zone or record, same shape as the corresponding GET
• BIND-reload warnings move to a response header. When the data write succeeds but the follow-up rndc reload fails, the warning is delivered through an X-BackendSide-Warning response header instead of an inline warning field. Multiple warnings emit multiple header values; status code stays 200/201 because the write itself is durable
• Audit entry schema extended with method, path, status, and target fields, matching the MailPanel audit shape so a central audit viewer can render both streams with one parser. The DNS-specific zone, record_name, record_type fields stay; existing audit log lines remain readable

Compatibility note

• External scripts that read response.zone or response.record from a mutation need a one-line tweak — drop the wrapper key and read the response body directly. Scripts that already use the top-level fields are unaffected
• Surface the X-BackendSide-Warning header to your operator when present; it indicates the reload step failed and BIND will need a manual rndc reload once the underlying issue is fixed

Build 042

Fixed

• Record drawer: “Discard changes?” dialog no longer appears after a successful Save or Delete on a record — the dirty-check now only runs when the user actually dismisses the drawer (Cancel, X, or overlay click)

Build 041

Changed

• RPM packaging: a single .rpm now installs cleanly on RHEL 8, 9, and 10 (and AlmaLinux / Rocky equivalents) — the package payload was switched to gzip compression because RHEL 8's package manager cannot read the newer zstd format
• Artifact naming dropped the per-distro suffix — the build now ships as backendside-dns-manager-0.1.0-041.x86_64.rpm

Build 040

Added

• logrotate: packages now soft-depend on logrotate so the shipped log rotation rules actually run on a default system

Changed

• Smarter installer: fresh installs generate secrets and start the service; upgrades preserve your existing API key, JWT secret, admin account, and setup flag, and use a graceful try-restart so the new binary takes over without manual intervention — same behaviour on .deb and .rpm
• DNSSEC label: when a zone is signed with a Combined Signing Key (the default policy), the keys table now correctly shows the role as CSK instead of KSK/ZSK — matches what rndc dnssec -status reports

Build 039

Fixed

• Webhook event filter: webhooks now actually honor the events list — a webhook subscribed to zone.created only fires on zone-create; previously every webhook fired on every event regardless of the selection
• Older webhooks without an explicit event list keep their previous behaviour (fire on all events)

Build 038

Fixed

• Long TXT records: TXT values over 255 characters (DKIM, large SPF, etc.) are now written as multiple quoted segments per RFC 1035, so BIND loads them correctly — embedded quotes and backslashes inside TXT values are escaped
• CAA records: the writer now emits CAA values in BIND's expected inline format (0 issue "letsencrypt.org") instead of wrapping the whole value in quotes, which previously broke issue, iodef, and issuewild records
• Verified end-to-end — 300- and 320-character TXT records round-trip exactly, and all three CAA tags load and resolve on Ubuntu 24.04 and AlmaLinux 10.1

Build 037

Fixed

• Templates with DKIM / DMARC / SPF: TXT and CAA values containing ; (semicolons) are no longer truncated at the first semicolon by the zone-file parser
• SOA admin email: addresses like [email protected] are now correctly converted to RFC 1035 SOA RNAME format on disk and back to email form in the UI/API — they no longer get mangled on save
• CNAME / NS at the apex: records with @ as the name (a common zone-file shorthand for the apex) are now accepted — fixes the www CNAME @ record silently being dropped from the basic-web and full-stack templates
• Auto-glue warnings: when an in-zone nameserver is added without a matching A record and no default server IP is configured, the response now surfaces a warning instead of silently writing a zone that won't load

Build 036

Added

• Zone defaults: new “Zone defaults” section on the Configuration page lets you preset a list of nameservers, admin email, default TTL, and primary server IP — used by the “Use default nameservers” option in the Add Zone / Edit Zone modals
• Detect IP button: auto-populates the primary server IP by reading the host's outbound interface
• Auto-glue: when a zone uses an in-zone nameserver (ns1.example.com. for example.com), the matching ns1 A record is added automatically using the configured server IP — applies on zone create, zone update, and record create/update

Fixed

• SOA preservation: editing any record in a zone no longer resets the SOA primary nameserver back to a default like ns1.<domain> — the on-disk SOA is re-read and preserved across subsequent record writes

Build 034

Fixed

• Trailing-dot round-trip: fixed a zone-file round-trip bug where editing any record could turn ns1.example.com. into the relative ns1.example.com, which BIND then expanded back into ns1.example.com.example.com. and refused to load the zone — affects NS, CNAME, PTR, MX, and SRV

Build 033

Added

• Cross-distribution support: RHEL family support (AlmaLinux 10.1 validated; RHEL 8/9/10 expected) — the installer auto-detects the OS and uses the right BIND config directory (/etc/named on RHEL, /etc/bind on Ubuntu), service name (named vs bind9), package manager (dnf vs apt-get), and ownership (named:named vs bind:bind); SELinux contexts are restored automatically on RHEL
• .rpm package available alongside .deb

Build 032

Added

• RPM packaging: initial make rpm target with rpm spec, plus AlmaLinux BIND install/setup scripts — first .rpm built on AlmaLinux 10.1

Build 031

Fixed

• Security page blanking on load: when the security settings were freshly initialised, empty whitelists were serialised as JSON null and crashed the page render — empty lists are now sent as []

Build 030

Added

• Standardised error codes: API errors now include a machine-readable code field (ZONE_NOT_FOUND, ZONE_ALREADY_EXISTS, RECORD_NOT_FOUND, BIND_RELOAD_FAILED, DNSSEC_ALREADY_ENABLED, etc.) alongside the existing human message
• DNSSEC guards: enabling DNSSEC on an already-signed zone (or disabling on an unsigned zone) returns a clean 409 with a specific error code instead of going through the motions
• Test suite: added unit tests for DNS validation, zone-file round-trip, and the zones HTTP handler

Changed

• Analytics performance: record-type counts and query-volume aggregations now use a 30-second in-memory cache, smoothing repeated dashboard loads

Build 029

Added

• DNS Lookup tool: new “DNS Lookup” page under the Tools section runs dig against any name server (default: the local BIND) without leaving the dashboard — type whitelist covers A/AAAA/MX/TXT/NS/CNAME/SOA/PTR/CAA/SRV/ANY
• Lookup shortcut on records: every record row in a zone now has a search-code icon that jumps straight to the Lookup tool with the name and type pre-filled and the query auto-submitted

Build 028

Added

• Webhooks: new “Webhooks” page under System — register HTTP endpoints to receive notifications when zones or records are created, updated, or deleted; each delivery includes an X-Webhook-Signature HMAC-SHA256 header signed with the webhook secret; per-webhook “Test” button sends a synchronous ping; table shows last-triggered timestamp

Build 027

Added

• Raw zone view: new “Raw” tab on the Zone Detail page shows the full zone file in a syntax-highlighted code block, with Copy and Download buttons
• Paste-import: the Import Zones page gained a “Paste zone file” tab — paste a raw zone file in, the dashboard validates it with named-checkzone, imports it, and reloads BIND

Build 026

Added

• Restart manager button: new control on the BIND Service page restarts the DNS manager process itself (useful after upgrades) — the UI shows a reconnecting overlay and reloads automatically once the service comes back
• Log rotation: .deb now installs an /etc/logrotate.d/ config (daily, 14 rotations, gzip, copytruncate) and creates /var/log/backendside-dns-manager
• Structured logging: setting LOG_FORMAT=json switches all logger output to one JSON line per record ({"time","level","msg"})

Fixed

• Dashboard “DNS records” stat: now sums per-type counts instead of pulling every record across every zone, so it loads instantly on large estates

Build 025

Added

• API Tokens page: dedicated System → API Tokens screen to create, list, and revoke named API tokens — the token value is shown once on creation and never again; copy it immediately
• Zone Templates page: dedicated DNS → Templates screen to browse the built-in templates and create / delete your own custom record sets

Build 024

Added

• Import Zones: new top-level DNS → Import Zones page walks a directory, validates each .zone file with named-checkzone, classifies them as New / Conflict / Invalid, and imports the ones you select in a single reload
• Export zone: every zone gains an “Export” button that downloads the raw zone file directly from the browser
• Recently deleted records: deleted records are kept in a per-zone soft-delete log for 48 hours (last 50 entries) — new “Recently deleted” tab on Zone Detail lets you restore them with one click
• Audit log: all mutations are written to an append-only log at /etc/backendside-dns-manager/audit.log — new System → Audit Log page lets you scan the most recent 50 / 100 / 200 / 500 / 1000 entries with user, IP, action, and target
• User dropdown: the topbar avatar now opens a menu with Settings and Sign out

Build 023

Added

• Pagination + server-side search on the Zones list — handles thousands of zones cleanly with a debounced search box and prev/next controls
• Per-record-type filter pills on Records and Zone Detail
• Bulk record operations: checkbox column on Zone Detail with a “Delete N selected” toolbar action
• BIND Configuration page: new System → BIND Configuration screen exposes the most common named.conf.options (recursion, query log, version-hide, zone name checking, custom directives) — changes are validated with named-checkconf before applying and trigger an automatic reload
• Zone templates: four built-in templates (empty, basic-web, mail-services, full-stack) selectable when creating a zone, plus an API for managing custom templates

Build 022

Added

• Security page (System → Security) — rate limiting (configurable per-IP token bucket for /auth/login and /api/*), admin login IP whitelist (CIDRs), API key IP whitelist (CIDRs), port firewall (managed iptables chain, IPv4 + IPv6, flushed on graceful shutdown), and a self-lockout guard that warns before you apply rules that would block your current session
• Multi-token API keys: create named tokens with separate audit trails and individual revocation — the legacy static API_KEY from config.env keeps working as a fallback

Build 021

Added

• DNSSEC (BIND 9.18+ built-in dnssec-policy "default"; inline-signing yes;) — per-zone “DNSSEC” tab on Zone Detail with enable / disable toggle, keys table (tag, algorithm, role, dates), DS records copy-paste ready for your registrar, live rndc dnssec -status output polling every 4 seconds while waiting for keys to appear, and a “Signed” chip on the zones list and zone header

Build 020

Added

• Analytics: records-by-type bar chart (per zone and overall), query-volume area chart (last 24h, bucketed), live query stream (Server-Sent Events; the dashboard “Live queries” widget), and an activity feed sourced from journald
• The installer now turns on BIND's query log so analytics has data on day one

Build 019

Added

• Topbar avatar showing the logged-in username (from the JWT)
• Edit Zone settings — change nameserver, admin email, and default TTL from the Zone Settings tab
• Unsaved-changes confirmation in the record drawer so a stray click doesn't drop your work

Changed

• Toolbar pills now wrap cleanly on narrow viewports

Build 018

Fixed

• Per-zone write locks + a separate zones.conf lock prevent overlapping writes from racing each other
• DeleteZone ordering: zones.conf is rebuilt before the zone file is removed, then BIND is reloaded — previously the three steps could race and leave the include file pointing at a missing file
• CreateZone rollback: if updating zones.conf fails after the zone file was written, the orphaned file is removed instead of left on disk

Added

• DNS-label / hostname / IPv4 / IPv6 / TTL validation helpers wired into the record create and update paths

Build 017

Added

• Installer DNS pre-flight: the BIND9 install step detects a broken /etc/resolv.conf, temporarily points at 1.1.1.1 and 8.8.8.8 for the duration of the install, then restores the original (preserving the symlink-vs-file shape) — no more manual resolv.conf editing to get past the install

Build 016

Added

• Dashboard: real stat cards (Total zones, DNS records, Queries/24h, BIND status) — no more placeholders
• System pages: BIND Service (status, reload, restart), Configuration (paths and listen address), Settings (HTTPS toggle, generate self-signed certificate, change password, sign out)

Build 015

Added

• Zones list and Zone Detail wired to real data, with a side drawer for editing records
• Records cross-zone view (/records) — search and filter every record across every zone in one table
• New reusable UI components — Chip, RType, Modal, Drawer, ConfirmDialog, InlineError

Build 014

Fixed

• Setup wizard skipping admin step — the wizard now correctly waits for an admin to be configured before redirecting to the login screen

Build 013

Changed

• Login / setup logo switched to the white-background variant for better contrast on the navy split-pane
• Friendlier sign-in error — “Incorrect username or password”

Build 012

Added

• Routing + auth flow: React Router 6, JWT-in-localStorage, automatic redirect to /login on 401, full setup wizard flow wired up

Build 011

Added

• Modern frontend pipeline: the dashboard moved from a single hand-written index.html to a Vite + React + TypeScript build, embedded in the binary — initial bundle: 149 KB JS + 25 KB CSS

Build 010

Added

• BIND reload warnings — any mutation that touches BIND now returns the normal success body plus a warning field when the underlying rndc reload reports a problem, so the UI can surface it instead of silently succeeding

Fixed

• Zone serial rollover: SOA serials no longer wrap at 99 per day — the YYYYMMDDNN counter rolls into the next day correctly
• Parse errors are logged rather than swallowed
• JWT_SECRET=changeme is rejected at startup so a default secret can't slip into production

Removed

• Old vanilla web UI consolidated into a single canonical index.html; dead internal/config/ and migrations/ packages deleted

Build 008

Changed

• Project renamed to “BackendSide DNS Manager” — binary, service, package, config paths, and Go module all carry the -manager suffix
• (Build 009 re-shipped the renamed .deb after a series of encoding fixes from PowerShell touching files on Windows)

Build 007

Fixed

• Record delete missing zone parameter; replaced browser confirm() dialogs with the project's ConfirmDialog modal

Build 006

Fixed

• BIND9 service alias issue on Ubuntu 24.04 (bind9.service vs named.service)

Build 005

Fixed

• systemd service EnvironmentFile path was .env, corrected to config.env

Build 004

Added

• Phase A UI: zone detail view with editable records, in-place record editing, SOA customisation, zone search
• SSL panel: generate self-signed certificate; enable / disable HTTPS
• Backup: download an authenticated .tar.gz of all zone files and BIND config

Build 003

Added

• Change password endpoint

Fixed

• Several record-API bugs surfaced in Phase 3/4 testing

Build 002

Added

• 3-step setup wizard: data directory → BIND9 install → admin account
• Correct SETUP_COMPLETE ordering (set only after admin creation)
• BackendSide UI theme applied to wizard

Build 001

Added

• BackendSide design system — navy #0a1027 sidebar, coral #ff5a1f accent, Inter typeface, split-pane login
• Username + password authentication with bcrypt, JWT sessions (24h)
• Improved dpkg postinst output

Initial Release

Initial Features

• Full zone CRUD — list, create, get, update, delete
• Full record CRUD — A, AAAA, CNAME, MX, NS, TXT, CAA, SRV, PTR
• File-based storage — BIND zone files are the only source of truth, no database
• Dual API auth — X-API-Key for programmatic clients, Authorization: Bearer for the web UI
• BIND9 integration — zone file generation, zones.conf management, service control
• Statically linked single binary; Debian packaging with postinst generating the API key and JWT secret on install
• Build-number tracking (.buildnumber), printed on startup and during install

Planned

0.2.0

• Webhook edit endpoint (currently you delete + recreate to change events)
• Lab DNSSEC policy (faster key rollover for CI / staging zones)
• Audit log search / filter
• Zone-level usage stats (per-zone QPS in addition to global)

1.0.0

• Secondary / slave zones with AXFR / IXFR transfer
• DNSSEC key rollover UI and Let's Encrypt ACME DNS-01 challenge support
• Multi-user with role-based access control
• High-availability clustering