Merge branch '4421-deprecate-AES-based-DNS-cookies' into 'main'

Deprecate AES algorithm for DNS cookies Closes #4421 See merge request isc-projects/bind9!8472
2023-11-13 15:00:48 +00:00
parent fd4ad5f0ba 2a3b3beaf1
commit 4ee7b803b6
3 changed files with 9 additions and 0 deletions
--- a/2
+++ b/2
@@ -1,3 +1,5 @@
+6282.	[func]		Deprecate AES-based DNS cookies. [GL #4421]
+
 6281.	[bug]		Fix a data race in dns_tsigkeyring_dump(). [GL #4328]

 6280.	[bug]		Fix missing newlines in the output of "rndc nta -dump".
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -27,6 +27,9 @@ Removed Features

 - None.

+- The support for AES algorithm for DNS cookies has been deprecated.
+  :gl:`#4421`
+
 Feature Changes
 ~~~~~~~~~~~~~~~

--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -1561,6 +1561,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	(void)cfg_map_get(options, "cookie-algorithm", &obj);
 	if (obj != NULL) {
 		ccalg = cfg_obj_asstring(obj);
+		if (strcasecmp(ccalg, "aes") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "cookie-algorithm 'aes' is deprecated");
+		}
 	}

 	obj = NULL;