diff --git a/CHANGES b/CHANGES
index ed34827598..062b5ebe43 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,8 @@
 			on TCP connection failure as well as for UDP timeouts.
 			[GL #4396]
 
+6282.	[func]		Deprecate AES-based DNS cookies. [GL #4421]
+
 	--- 9.18.20 released ---
 
 6280.	[bug]		Fix missing newlines in the output of "rndc nta -dump".
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 180768d95b..615f5187bc 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -25,7 +25,8 @@ New Features
 Removed Features
 ~~~~~~~~~~~~~~~~
 
-- None.
+- The support for AES algorithm for DNS cookies has been deprecated.
+  :gl:`#4421`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 695090e02b..1c850d8e5a 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1608,6 +1608,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	(void)cfg_map_get(options, "cookie-algorithm", &obj);
 	if (obj != NULL) {
 		ccalg = cfg_obj_asstring(obj);
+		if (strcasecmp(ccalg, "aes") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "cookie-algorithm 'aes' is deprecated");
+		}
 	}
 
 	obj = NULL;