From: Ondřej Surý <ondrej@isc.org>
Date: Tue, 7 Nov 2023 14:17:10 +0000 (+0100)
Subject: Deprecate AES algorithm for DNS cookies
X-Git-Tag: v9.19.19~38^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=67d14b0ee541b5bacf7c295b4231a49ae435941c;p=thirdparty%2Fbind9.git

Deprecate AES algorithm for DNS cookies

The AES algorithm for DNS cookies was being kept for legacy reasons,
and it can be safely removed in the next major release.  Mark is as
deprecated, so the `named-checkconf` prints a warning when in use.
---

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 148d5c6c4ab..307bf9b6522 100644
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -1561,6 +1561,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	(void)cfg_map_get(options, "cookie-algorithm", &obj);
 	if (obj != NULL) {
 		ccalg = cfg_obj_asstring(obj);
+		if (strcasecmp(ccalg, "aes") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "cookie-algorithm 'aes' is deprecated");
+		}
 	}
 
 	obj = NULL;