diff --git a/CHANGES b/CHANGES
index 14a5ff11ed..53d1a989f3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+6282.	[func]		Deprecate AES-based DNS cookies. [GL #4421]
+
 6281.	[bug]		Fix a data race in dns_tsigkeyring_dump(). [GL #4328]
 
 6280.	[bug]		Fix missing newlines in the output of "rndc nta -dump".
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c9888b8fe8..9be8687422 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -27,6 +27,9 @@ Removed Features
 
 - None.
 
+- The support for AES algorithm for DNS cookies has been deprecated.
+  :gl:`#4421`
+
 Feature Changes
 ~~~~~~~~~~~~~~~
 
diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 148d5c6c4a..307bf9b652 100644
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -1561,6 +1561,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	(void)cfg_map_get(options, "cookie-algorithm", &obj);
 	if (obj != NULL) {
 		ccalg = cfg_obj_asstring(obj);
+		if (strcasecmp(ccalg, "aes") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "cookie-algorithm 'aes' is deprecated");
+		}
 	}
 
 	obj = NULL;