From 1285238d9552091e4550c85e2874981d4a2a239a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 7 Nov 2023 15:17:10 +0100
Subject: [PATCH 1/2] Deprecate AES algorithm for DNS cookies

The AES algorithm for DNS cookies was being kept for legacy reasons,
and it can be safely removed in the next major release.  Mark is as
deprecated, so the `named-checkconf` prints a warning when in use.

(cherry picked from commit 67d14b0ee541b5bacf7c295b4231a49ae435941c)
---
 lib/bind9/check.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 695090e02b..1c850d8e5a 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1608,6 +1608,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	(void)cfg_map_get(options, "cookie-algorithm", &obj);
 	if (obj != NULL) {
 		ccalg = cfg_obj_asstring(obj);
+		if (strcasecmp(ccalg, "aes") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "cookie-algorithm 'aes' is deprecated");
+		}
 	}
 
 	obj = NULL;

From a9e4d6c6820fcc5987b08e0004369ad476c6ce75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 7 Nov 2023 14:44:44 +0100
Subject: [PATCH 2/2] Add CHANGES and release note for [GL #4421]

(cherry picked from commit 2a3b3beaf1db22c5f11490c23874eb0ec00ad836)
---
 CHANGES                     | 2 ++
 doc/notes/notes-current.rst | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index ed34827598..062b5ebe43 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,8 @@
 			on TCP connection failure as well as for UDP timeouts.
 			[GL #4396]
 
+6282.	[func]		Deprecate AES-based DNS cookies. [GL #4421]
+
 	--- 9.18.20 released ---
 
 6280.	[bug]		Fix missing newlines in the output of "rndc nta -dump".
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 180768d95b..615f5187bc 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -25,7 +25,8 @@ New Features
 Removed Features
 ~~~~~~~~~~~~~~~~
 
-- None.
+- The support for AES algorithm for DNS cookies has been deprecated.
+  :gl:`#4421`
 
 Feature Changes
 ~~~~~~~~~~~~~~~