Infisical · JustinBack · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -82,6 +82,10 @@ import {
   DNSMadeEasyConnectionListItemSchema,
   SanitizedDNSMadeEasyConnectionSchema
 } from "@app/services/app-connection/dns-made-easy/dns-made-easy-connection-schema";
+import {
+  PowerDNSConnectionListItemSchema,
+  SanitizedPowerDNSConnectionSchema
+} from "@app/services/app-connection/powerdns/powerdns-connection-schema";
 import {
   ExternalInfisicalConnectionListItemSchema,
   SanitizedExternalInfisicalConnectionSchema
@@ -228,6 +232,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedAzureEntraIdConnectionSchema.options,
   ...SanitizedVenafiConnectionSchema.options,
   ...SanitizedExternalInfisicalConnectionSchema.options,
+  ...SanitizedPowerDNSConnectionSchema.options,
   ...SanitizedNetScalerConnectionSchema.options
 ]);
 
@@ -286,6 +291,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   AzureEntraIdConnectionListItemSchema,
   VenafiConnectionListItemSchema,
   ExternalInfisicalConnectionListItemSchema,
+  PowerDNSConnectionListItemSchema,
   NetScalerConnectionListItemSchema,
   AnthropicConnectionListItemSchema
 ]);

diff --git a/backend/src/server/routes/v1/app-connection-routers/index.ts b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -23,6 +23,7 @@ import { registerDatabricksConnectionRouter } from "./databricks-connection-rout
 import { registerDbtConnectionRouter } from "./dbt-connection-router";
 import { registerDigitalOceanConnectionRouter } from "./digital-ocean-connection-router";
 import { registerDNSMadeEasyConnectionRouter } from "./dns-made-easy-connection-router";
+import { registerPowerDNSConnectionRouter } from "./powerdns-connection-router";
 import { registerExternalInfisicalConnectionRouter } from "./external-infisical-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
@@ -115,6 +116,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.AzureEntraId]: registerAzureEntraIdConnectionRouter,
     [AppConnection.Venafi]: registerVenafiConnectionRouter,
     [AppConnection.ExternalInfisical]: registerExternalInfisicalConnectionRouter,
+    [AppConnection.PowerDNS]: registerPowerDNSConnectionRouter,
     [AppConnection.NetScaler]: registerNetScalerConnectionRouter,
     [AppConnection.Anthropic]: registerAnthropicConnectionRouter
   };
diff --git a/backend/src/server/routes/v1/app-connection-routers/powerdns-connection-router.ts b/backend/src/server/routes/v1/app-connection-routers/powerdns-connection-router.ts
@@ -0,0 +1,18 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreatePowerDNSConnectionSchema,
+  SanitizedPowerDNSConnectionSchema,
+  UpdatePowerDNSConnectionSchema
+} from "@app/services/app-connection/powerdns/powerdns-connection-schema";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerPowerDNSConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.PowerDNS,
+    server,
+    sanitizedResponseSchema: SanitizedPowerDNSConnectionSchema,
+    createSchema: CreatePowerDNSConnectionSchema,
+    updateSchema: UpdatePowerDNSConnectionSchema
+  });
+};
diff --git a/backend/src/services/app-connection/app-connection-enums.ts b/backend/src/services/app-connection/app-connection-enums.ts
@@ -53,6 +53,7 @@ export enum AppConnection {
   AzureEntraId = "azure-entra-id",
   Venafi = "venafi",
   ExternalInfisical = "external-infisical",
+  PowerDNS = "powerdns",
   NetScaler = "netscaler",
   Anthropic = "anthropic"
 }

diff --git a/backend/src/services/app-connection/app-connection-fns.ts b/backend/src/services/app-connection/app-connection-fns.ts
@@ -118,6 +118,11 @@ import {
   getDNSMadeEasyConnectionListItem,
   validateDNSMadeEasyConnectionCredentials
 } from "./dns-made-easy/dns-made-easy-connection-fns";
+import { PowerDNSConnectionMethod } from "./powerdns/powerdns-connection-enum";
+import {
+  getPowerDNSConnectionListItem,
+  validatePowerDNSConnectionCredentials
+} from "./powerdns/powerdns-connection-fns";
 import {
   ExternalInfisicalConnectionMethod,
   getExternalInfisicalConnectionListItem,
@@ -232,6 +237,7 @@ const PKI_APP_CONNECTIONS = [
   AppConnection.DNSMadeEasy,
   AppConnection.AzureDNS,
   AppConnection.Venafi,
+  AppConnection.PowerDNS,
   AppConnection.NetScaler
 ];
 
@@ -292,6 +298,7 @@ export const listAppConnectionOptions = (projectType?: ProjectType) => {
     getAzureEntraIdConnectionListItem(),
     getVenafiConnectionListItem(),
     getExternalInfisicalConnectionListItem(),
+    getPowerDNSConnectionListItem(),
     getNetScalerConnectionListItem()
   ]
     .filter((option) => {
@@ -443,7 +450,8 @@ export const validateAppConnectionCredentials = async (
       validateExternalInfisicalConnectionCredentials(
         config as TExternalInfisicalConnectionConfig,
         deps.identityUaDAL
-      )) as TAppConnectionCredentialsValidator
+      )) as TAppConnectionCredentialsValidator,
+    [AppConnection.PowerDNS]: validatePowerDNSConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection, gatewayService, gatewayV2Service);
@@ -538,6 +546,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       return "Basic Auth";
     case ExternalInfisicalConnectionMethod.MachineIdentityUniversalAuth:
       return "Machine Identity - Universal Auth";
+    case PowerDNSConnectionMethod.APIKey:
+      return "API Key";
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection Method: ${method}`);

diff --git a/backend/src/services/app-connection/app-connection-maps.ts b/backend/src/services/app-connection/app-connection-maps.ts
@@ -55,6 +55,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.AzureEntraId]: "Azure Entra ID",
   [AppConnection.Venafi]: "Venafi TLS Protect Cloud",
   [AppConnection.ExternalInfisical]: "Infisical",
+  [AppConnection.PowerDNS]: "PowerDNS",
   [AppConnection.NetScaler]: "NetScaler",
   [AppConnection.Anthropic]: "Anthropic"
 };
@@ -114,6 +115,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.AzureEntraId]: AppConnectionPlanType.Regular,
   [AppConnection.Venafi]: AppConnectionPlanType.Regular,
   [AppConnection.ExternalInfisical]: AppConnectionPlanType.Regular,
+  [AppConnection.PowerDNS]: AppConnectionPlanType.Regular,
   [AppConnection.NetScaler]: AppConnectionPlanType.Regular,
   [AppConnection.Anthropic]: AppConnectionPlanType.Regular
 };
diff --git a/backend/src/services/app-connection/app-connection-service.ts b/backend/src/services/app-connection/app-connection-service.ts
@@ -90,6 +90,8 @@ import { ValidateDigitalOceanConnectionCredentialsSchema } from "./digital-ocean
 import { digitalOceanAppPlatformConnectionService } from "./digital-ocean/digital-ocean-connection-service";
 import { ValidateDNSMadeEasyConnectionCredentialsSchema } from "./dns-made-easy/dns-made-easy-connection-schema";
 import { dnsMadeEasyConnectionService } from "./dns-made-easy/dns-made-easy-connection-service";
+import { ValidatePowerDNSConnectionCredentialsSchema } from "./powerdns/powerdns-connection-schema";
+import { powerDnsConnectionService } from "./powerdns/powerdns-connection-service";
 import { ValidateExternalInfisicalConnectionCredentialsSchema } from "./external-infisical";
 import { externalInfisicalConnectionService } from "./external-infisical/external-infisical-connection-service";
 import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
@@ -218,6 +220,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.AzureEntraId]: ValidateAzureEntraIdConnectionCredentialsSchema,
   [AppConnection.Venafi]: ValidateVenafiConnectionCredentialsSchema,
   [AppConnection.ExternalInfisical]: ValidateExternalInfisicalConnectionCredentialsSchema,
+  [AppConnection.PowerDNS]: ValidatePowerDNSConnectionCredentialsSchema,
   [AppConnection.NetScaler]: ValidateNetScalerConnectionCredentialsSchema,
   [AppConnection.Anthropic]: ValidateAnthropicConnectionCredentialsSchema
 };
@@ -1081,6 +1084,7 @@ export const appConnectionServiceFactory = ({
     venafi: venafiConnectionService(connectAppConnectionById),
     azureAdcs: azureAdcsConnectionService(connectAppConnectionById),
     dnsMadeEasy: dnsMadeEasyConnectionService(connectAppConnectionById),
+    powerDns: powerDnsConnectionService(),
     azureDns: azureDnsConnectionService(connectAppConnectionById),
     zabbix: zabbixConnectionService(connectAppConnectionById),
     railway: railwayConnectionService(connectAppConnectionById),

diff --git a/backend/src/services/app-connection/powerdns/powerdns-connection-enum.ts b/backend/src/services/app-connection/powerdns/powerdns-connection-enum.ts
@@ -0,0 +1,3 @@
+export enum PowerDNSConnectionMethod {
+  APIKey = "api-key"
+}
diff --git a/backend/src/services/app-connection/powerdns/powerdns-connection-fns.ts b/backend/src/services/app-connection/powerdns/powerdns-connection-fns.ts
@@ -0,0 +1,65 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+
+
+import { PowerDNSConnectionMethod } from "./powerdns-connection-enum";
+import { TPowerDNSConnectionConfig } from "./powerdns-connection-types";
+
+export const getPowerDNSConnectionListItem = () => {
+  return {
+    name: "PowerDNS" as const,
+    app: AppConnection.PowerDNS as const,
+    methods: Object.values(PowerDNSConnectionMethod) as [PowerDNSConnectionMethod.APIKey]
+  };
+};
+
+export const validatePowerDNSConnectionCredentials = async (config: TPowerDNSConnectionConfig) => {
+  if (config.method !== PowerDNSConnectionMethod.APIKey) {
+    throw new BadRequestError({ message: "Unsupported PowerDNS connection method" });
+  }
+
+  const { apiKey, baseUrl } = config.credentials;
+
+  try {
+
+    await blockLocalAndPrivateIpAddresses(baseUrl);
+
+
+    // Use /servers/localhost/zones as the validation endpoint — it is supported by both
+    // direct PowerDNS Server and PowerDNS-Admin proxy configurations.
+    const resp = await request.get(`${baseUrl}/servers/localhost/zones`, {
+      headers: {
+        "x-api-key": apiKey,
+        Accept: "application/json"
+      }
+    });
+
+    if (resp.status !== 200) {
+      throw new BadRequestError({
+        message: "Unable to validate connection: Invalid API credentials provided."
+      });
+    }
+  } catch (error: unknown) {
+    if (error instanceof BadRequestError) {
+      throw error;
+    }
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${
+          (error.response?.data as { error?: string })?.error || error.message || "Unknown error"
+        }`
+      });
+    }
+    logger.error(error, "Error validating PowerDNS connection credentials");
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials and base URL"
+    });
+  }
+
+  return config.credentials;
+};
diff --git a/backend/src/services/app-connection/powerdns/powerdns-connection-schema.ts b/backend/src/services/app-connection/powerdns/powerdns-connection-schema.ts
@@ -0,0 +1,69 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { APP_CONNECTION_NAME_MAP } from "../app-connection-maps";
+import { PowerDNSConnectionMethod } from "./powerdns-connection-enum";
+
+export const PowerDNSConnectionApiKeyCredentialsSchema = z.object({
+  apiKey: z.string().trim().min(1, "API key required").max(256, "API key cannot exceed 256 characters"),
+  baseUrl: z
+    .string()
+    .trim()
+    .url("Base URL must be a valid URL")
+    .min(1, "Base URL required")
+    .max(1024, "Base URL cannot exceed 1024 characters")
+});
+
+const BasePowerDNSConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.PowerDNS)
+});
+
+export const PowerDNSConnectionSchema = BasePowerDNSConnectionSchema.extend({
+  method: z.literal(PowerDNSConnectionMethod.APIKey),
+  credentials: PowerDNSConnectionApiKeyCredentialsSchema
+});
+
+export const SanitizedPowerDNSConnectionSchema = z.discriminatedUnion("method", [
+  BasePowerDNSConnectionSchema.extend({
+    method: z.literal(PowerDNSConnectionMethod.APIKey),
+    credentials: PowerDNSConnectionApiKeyCredentialsSchema.pick({ baseUrl: true })
+  }).describe(JSON.stringify({ title: `${APP_CONNECTION_NAME_MAP[AppConnection.PowerDNS]} (API Key)` }))
+]);
+
+export const ValidatePowerDNSConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(PowerDNSConnectionMethod.APIKey)
+      .describe(AppConnections.CREATE(AppConnection.PowerDNS).method),
+    credentials: PowerDNSConnectionApiKeyCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.PowerDNS).credentials
+    )
+  })
+]);
+
+export const CreatePowerDNSConnectionSchema = ValidatePowerDNSConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.PowerDNS)
+);
+
+export const UpdatePowerDNSConnectionSchema = z
+  .object({
+    credentials: PowerDNSConnectionApiKeyCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.PowerDNS).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.PowerDNS));
+
+export const PowerDNSConnectionListItemSchema = z
+  .object({
+    name: z.literal("PowerDNS"),
+    app: z.literal(AppConnection.PowerDNS),
+    methods: z.nativeEnum(PowerDNSConnectionMethod).array()
+  })
+  .describe(JSON.stringify({ title: APP_CONNECTION_NAME_MAP[AppConnection.PowerDNS] }));
diff --git a/backend/src/services/app-connection/powerdns/powerdns-connection-service.ts b/backend/src/services/app-connection/powerdns/powerdns-connection-service.ts
@@ -0,0 +1,3 @@
+export const powerDnsConnectionService = () => {
+  return {};
+};
diff --git a/backend/src/services/app-connection/powerdns/powerdns-connection-types.ts b/backend/src/services/app-connection/powerdns/powerdns-connection-types.ts
@@ -0,0 +1,25 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreatePowerDNSConnectionSchema,
+  PowerDNSConnectionSchema,
+  ValidatePowerDNSConnectionCredentialsSchema
+} from "./powerdns-connection-schema";
+
+export type TPowerDNSConnection = z.infer<typeof PowerDNSConnectionSchema>;
+
+export type TPowerDNSConnectionInput = z.infer<typeof CreatePowerDNSConnectionSchema> & {
+  app: AppConnection.PowerDNS;
+};
+
+export type TValidatePowerDNSConnectionCredentialsSchema = typeof ValidatePowerDNSConnectionCredentialsSchema;
+
+export type TPowerDNSConnectionConfig = DiscriminativePick<
+  TPowerDNSConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
diff --git a/backend/src/services/certificate-authority/acme/acme-certificate-authority-enums.ts b/backend/src/services/certificate-authority/acme/acme-certificate-authority-enums.ts
@@ -2,5 +2,6 @@ export enum AcmeDnsProvider {
   Route53 = "route53",
   Cloudflare = "cloudflare",
   DNSMadeEasy = "dns-made-easy",
-  AzureDNS = "azure-dns"
+  AzureDNS = "azure-dns",
+  PowerDNS = "powerdns"
 }