Merge branch '4421-deprecate-AES-based-DNS-cookies-9.18' into 'bind-9.18'

[9.18] Deprecate AES algorithm for DNS cookies See merge request isc-projects/bind9!8486
2026-05-28 04:34:54 -04:00 · 2023-12-05 10:28:38 +00:00 · 2023-12-05 10:28:38 +00:00 · 46925fb8f5
commit 46925fb8f5
parent 3b24611844 a9e4d6c682
3 changed files with 8 additions and 1 deletions
--- a/2
+++ b/2
@ -9,6 +9,8 @@
 			on TCP connection failure as well as for UDP timeouts.
 			[GL #4396]

+6282.	[func]		Deprecate AES-based DNS cookies. [GL #4421]
+
 	--- 9.18.20 released ---

 6280.	[bug]		Fix missing newlines in the output of "rndc nta -dump".
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -25,7 +25,8 @@ New Features
 Removed Features
 ~~~~~~~~~~~~~~~~

- None.
+- The support for AES algorithm for DNS cookies has been deprecated.
+  :gl:`#4421`

 Feature Changes
 ~~~~~~~~~~~~~~~
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -1608,6 +1608,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	(void)cfg_map_get(options, "cookie-algorithm", &obj);
 	if (obj != NULL) {
 		ccalg = cfg_obj_asstring(obj);
+		if (strcasecmp(ccalg, "aes") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "cookie-algorithm 'aes' is deprecated");
+		}
 	}

 	obj = NULL;