From 67d14b0ee541b5bacf7c295b4231a49ae435941c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 7 Nov 2023 15:17:10 +0100 Subject: [PATCH 1/2] Deprecate AES algorithm for DNS cookies The AES algorithm for DNS cookies was being kept for legacy reasons, and it can be safely removed in the next major release. Mark is as deprecated, so the `named-checkconf` prints a warning when in use. --- lib/isccfg/check.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 148d5c6c4a..307bf9b652 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1561,6 +1561,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, (void)cfg_map_get(options, "cookie-algorithm", &obj); if (obj != NULL) { ccalg = cfg_obj_asstring(obj); + if (strcasecmp(ccalg, "aes") == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "cookie-algorithm 'aes' is deprecated"); + } } obj = NULL; From 2a3b3beaf1db22c5f11490c23874eb0ec00ad836 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 7 Nov 2023 14:44:44 +0100 Subject: [PATCH 2/2] Add CHANGES and release note for [GL #4421] --- CHANGES | 2 ++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 14a5ff11ed..53d1a989f3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +6282. [func] Deprecate AES-based DNS cookies. [GL #4421] + 6281. [bug] Fix a data race in dns_tsigkeyring_dump(). [GL #4328] 6280. [bug] Fix missing newlines in the output of "rndc nta -dump". diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c9888b8fe8..9be8687422 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -27,6 +27,9 @@ Removed Features - None. +- The support for AES algorithm for DNS cookies has been deprecated. + :gl:`#4421` + Feature Changes ~~~~~~~~~~~~~~~