Two backlog features: operator-tunable API rate limits and DNS-alias (CNAME delegation) support for rfc2136.
Features
- Configurable API rate limits (#319): the per-endpoint limits were hardcoded, so a trusted automation fleet (e.g. a cron deploy fanning out across VMs behind one egress IP) tripped the shared bucket with no way to raise it. Settings → API Keys → API Rate Limits now exposes a value-per-endpoint form and an on/off toggle, mirrored by
GET/PUT /api/settings/rate-limits(admin). Changes apply live, with no restart; the values are read and sanitised on each request so a malformed entry can never disable a limit. The login endpoint keeps its own separate limiter. - rfc2136 domain_alias (CNAME delegation) (#330):
domain_aliasmode previously rejected rfc2136. It now writes the_acme-challenge.<alias>TXT into the alias zone with a TSIG-signed dynamic update, discovering the owning zone from the server's SOA — so one rfc2136 TSIG key can serve several zones, including externally-managed domains whose owners only add the delegating CNAME. Reuses the existingnameserver/tsig_key/tsig_secretcredentials (plus an optionaltsig_algorithm, default HMAC-SHA512); no new dependency. Verified against a Technitium-style HMAC-SHA512 setup.