1.6.0 (March 28, 2024)


Catalog zones are only supported for PowerDNS Authoritative Server v4.9.0 and higher. Enable catalog zone support by setting ZONECONTROL_CATALOG_ZONE_SUPPORT to True in

Note that a customer can have a custom ZONECONTROL_ALLOW_ZONE_KINDS set, if ZONE_KIND_PRODUCER and ZONE_KIND_CONSUMER are not in there the customer will not be able to add these zones through ZoneControl. (But will be able to use catalog functionality for existing Producer zones.)

Audit logging can now also be echoed to standard out or a file. This is disabled by default and can be enabled by setting ZONECONTROL_AUDITLOG_STDOUT to True in By default this logging will be in JSON format but it is also possible to disable this and have plain text output; this is done by setting ZONECONTROL_JSON_LOGGING to False. (The intention is to switch to JSON logging output for ALL ZoneControl logging in some future major version.)

There’s now a showversion management command that will show the ZoneControl version for an official release. Otherwise it will show the hardcoded 0.0.123 value.


  • Support for catalog zones (!301)

  • Add showversion management command (!304)


  • Warn when chunk length is over 255 bytes for Lua records (!302)

  • Improve warning when loading zones that do not exist (!305)

  • Also, optionally, echo audit logging to standard out or a file (!307)


  • Improve error handling for Prometheus metrics code (!303)

  • Return 409 Conflict (like the Auth) instead of a stacktrace and internal server error when creating a zone that already exists (!306)

1.5.1 (November 1, 2023)


Prometheus metrics are now published on /metrics (the default for Prometheus and in our other products). By default this is turned off and can be turned on by setting ZONECONTROL_METRICS_ENABLED to True in Accessing the metrics requires no authentication. The number of zones metric (zonecontrol_zones) is only exported when the caching of zones is enabled (ZONECONTROL_CACHE_ZONES = True).


  • Make sure users with RRSet limits cannot export zones (!296, !297)

  • Fix issue with Native staying the default in the background when removing it from ZONECONTROL_ALLOW_ZONE_KINDS (!295)


  • Publish Prometheus metrics on /metrics (!298)

1.5.0 (October 2, 2023)


Zone names are now normalized when parsing them from the API or UI. In the past Curl scripts used for migrations at customers used zones without a dot at the end. These will still work but realize the zone will always get a dot at the end inside ZoneControl now.

Database tables for zone audit logs and zone history at customers may still have entries without a dot at the end. This release comes with a migration to append a dot to zones without a dot (at the end) in the audit log and zone history tables. Please test this migration in a non-production environment first!

The HTTP status response code for a successful POST call to api/v1/servers/«SERVER_ID»/zones has been changed from 200 to 201. This is the API call for creating a zone.

This might affect software and scripts that check for an exact 2xx status response instead of checking for a success response code.

It is now possible to override the Gunicorn config with an /etc/zonecontrol/ file. This procedure is similar to how it is done in the Platform Filter and is already implemented in the ZoneControl Ansible role.


  • Fix silent failure when adding a zone with non-canonical nameservers (no dot at the end) (!294)

  • Normalize zone names when receiving them from the API or UI (!286)

  • Make background opaque on template dropdown UI element (!285)

  • Check for AnonymousUser in more places, preventing stack traces (!284)

  • Make ZoneControl API status code for creating a zone equal that of the Authoritative API (!276)


  • Support Gunicorn config overrides (!277)


  • Remove the DNSSEC dialog flicker when opening a zone for the second (or more) time; this also removes a lot of errors on the dev console (!287)

  • Fix several build issues making them less flaky and faster (!289, !282, !281)

  • Adapt PDNS Auth API tests for ZoneControl, adding a new test suite (!280)

  • Add documentation for zone templates (!292)

1.4.2 (May 19, 2023)


ZONECONTROL_NSEC3PARAM_DEFAULT can be changed in, but it is advised to keep it at the default of "1 0 0 -".


  • Support for PEP 440 compliant version numbers so RPM packages built again (!270)


  • NSEC3 support in DNSSEC settings for zones (!271)


  • Added EL9 packages (!275)

  • Upload documentation from GitLab CI to (!273)

  • Auth API docs are now proxied through ZoneControl (!272)

1.4.1 (September 2, 2022)


  • Fix quotes in LUA example record (!261)

  • App: hide PTR checkbox when auto PTRs are disabled (!261)

  • Fix crash due to double saving of audit logs (!261)

  • Fix editing of LUA records (ZC-156, !261)

1.4.0 (March 10, 2022)

From this release onwards Debian Buster is no longer supported.


  • Admin option ZONECONTROL_SERVERS_READONLY (ZC-147, !259)

  • Allow disabling history. scheduling, comments and auditlog (ZC-147, !257)


  • Upgrade to a Python 3.9 that we ship (ZC-150, !258)

1.3.4 (October 14, 2021)


  • Take the Server into account when displaying RRSet comments (ZC-144, !256)

1.3.3 (July 09, 2021)


  • Implement the search API endpoint with permission checking (ZC-120, !249)


  • Stop frontend freezing when searching for template zones with many eligable zones (ZC-130, !253)

1.3.2 (March 25, 2021)


  • Expose that ZoneControl does APIv1 on /api, as some clients use this information (ZC-117, !247)


  • Adding and editing a root zone (.) now works in the ZoneControl frontend (ZC-118, !248)

  • Fixed a broken shebang in /usr/share/zonecontrol/bin/ in the Debian packages (!250)

1.3.1 (January 21, 2021)


  • PostGreSQL support has been added and can be enabled by installing zonecontrol-postgresql (!245)


  • Zone names starting with an _ are no longer improperly escaped (ZC-98, !244)


  • zonecontrol-cache has been split into a seperate package for Debian, as was the case for EL

1.3.0 (November 26, 2020)

  • Alpha 1: September 22, 2020


  • zonecontrol-ldap package has been added for integration into LDAP/AD environments (ZC-93, !230)


  • Requests that trigger the creation of an Auditlog no longer fail when the User Agent string is too long (ZC-88, !228)

  • Ensure the API endpoints return Content-Type: application/json (ZC-92, !232)


  • Add OPENPGPKEY help text (ZC-7, !233)

  • Update the link to the ALIAS record howto (!233)

  • Audit log now uses X-Forwarded-For header to get the remote IP address when ZoneControl is behind a proxy (ZC-91, !229)

  • Remove the proprietary HTTP Redirect record (!233)

1.2.0 (June 15, 2020)

  • Alpha 1: February 26 2020

  • Beta 1: March 16 2020

  • RC 1: April 22, 2020


  • Implement automatic PTR record creation (ZC-42, !196)

  • The zones list can be cached in Redis, drastically improving performance of the web-interface when PowerDNS is serving many domains (!206)

    • This requires the zonecontrol-cache service to be running

    • This caching can be controlled by the the ZONECONTROL_CACHE_ZONES_* settings

  • The DNSSEC information is not longer requested by default for the zone-overview, improving performance of the frontend (!203)

    • This can be controlled with the ZONECONTROL_ZONE_OVERVIEW_DNSSEC configuration option

  • The ‘edited’ serial is now displayed in the zone-overview (ZC-40, !201)

  • New distribution support:

    • RHEL/CentOS/OL 8

    • Debian Buster


  • The slave notifications status is hidden for Native zones (ZC-52, !208)

  • Underscored records no longer appear in the wrong place in the interface (ZC-5, !207)

    • This also improves the display of rrset with the same owner name


  • Permission management has been tightened (ZC-1, !194)

    • Users with these permissions and staff status can add users to their groups:

      • auth | group | Can change group

      • auth | user | Can change user

    • The same user can not see groups they don’t belong to

    • Staff users with ‘Can change user’ permissions can no longer - See or give staff status - See or give superuser status - Edit user permissions

    • No one but superuser can now edit - User permissions - Group permissions

    • Users can only see users from their groups in the user-admin, but they can add them to their groups in the group-admin

    • Several fields in the administrative interface have been hidden as a result

    • Zone and server permissions are now enforced for staff-users in the administrative backend (ZC-14, !216)

  • Several visuals in the frontend have been harmonized and improved (!215)

  • Django is updated to the latest LTS version, 2.2 (!204)

  • Javascript components are upgraded. Most importantly, Angular is now at version 7.2 (!193)

  • Documentation has been updated with all new features and sections on the permissions model

1.1.1 (July 10, 2019)


  • Don’t have an empty result when the per-RRset limits list is longer than 1 (!199)

1.1.0 (June 24, 2019)

  • Alpha 1: internal only

  • Alpha 2: internal only

  • Alpha 3: May 20 2019

  • Beta 1: May 23 2019


  • Support for the PowerDNS Authoritative Server 4.0 has been dropped. (#146)

  • pkgs: Depend on the Python 3.6 from EPEL, not on the one from SCL (!186)


  • Ability to limit the kinds of zones that are allowed to be created. By default, all 3 kinds are allowed. This limit can be set in the file by the system administrator. (!172)

  • The zone overview is paginated, showing 25 zones per page. (PDNS-37, !171)

  • The records overview is paginated, showing 200 records per page. (PDNS-37, !171)

  • PTR records can be automatically generated by appending a ‘*’ after the ip address. This feature can be disabled in the by the system administrator. (PDNS-158, PDNS-189, !174)

  • The zone settings dialog has been extended with buttons to queue NOTIFY messages (for master zones) and retrieve the zone (for slave zones). The system administrator can disable this feature in (!173)

  • The DNSSEC dialog shows what kind of keys will be created once the user clicks “Enable DNSSEC”. (PDNS-39, !175)

  • An ‘advanced DNSSEC’ role permission has been added. Users with this permission have a tab in the DNSSEC dialog that allows manipulation of all keys. (PDNS-39, !175)

  • Per-RRSet role-based access control has been added. This feature allows roles to be restricted to records of certain names and types. By default, all records are allowed when a role has access to a zone. (PDNS-165, PDNS-35, !178)


  • Fix alert when attempting to add an internally managed record at the apex. (#169)

  • Ensure the UI shows ‘repeated’ zone names. (PDNS-206, #166)

  • Mark required textareas in forms. (#167)

1.0.1 (July 17, 2018)


  • Implement rolebased API “pass through” (#128)

  • Comments for zone records (#122) - Tool to import comments from PowerDNS Authoritative Server

  • roles: Granular permissions for zone settings, DNSSEC and version restores (#104)


  • pkg: Let yum figure out which mysql lib to pull in (#144)

  • pkg: Add MySQL support package for CentOS 7 (#127)

  • admin: More user-friendly role admin UI (#104)

  • dnssec: When enabling DNSSEC, the configured DNSSEC server defaults are now honored (#105)


  • Fix API error when adding or removing zone (#139)

  • Catch SOA entries that do not exist (#133)

  • backend: Fix 500 error when adding non-template zone (cf0393e)

  • builder: Fix missing styling in built packages, debian build fixes (#95)

1.0.0 (September 20, 2017)

First release.


  • Zone version history and restore (#56)

  • Zone templates (#63)

  • builder: New build system, CentOS 7 and Debian Stretch packages (#70)

IMPROVEMENTS: - libs: Upgraded to Angular 4.3.6 and Webpack 3.5.5

BUG FIXES: - dnssec: Correct handling of ksk/zsk keys in UI (#65)