Deprecate AES algorithm for DNS cookies

The AES algorithm for DNS cookies was being kept for legacy reasons,
and it can be safely removed in the next major release.  Mark is as
deprecated, so the `named-checkconf` prints a warning when in use.

(cherry picked from commit 67d14b0ee541b5bacf7c295b4231a49ae435941c)

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 3a78a17a071bd7ebdc8a9abbe0412505cb230b5f..ee64543ab8b29230f461674e159ade2c7a19188b 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1457,6 +1457,10 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
        (void)cfg_map_get(options, "cookie-algorithm", &obj);
        if (obj != NULL) {
                ccalg = cfg_obj_asstring(obj);
+               if (strcasecmp(ccalg, "aes") == 0) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+                                   "cookie-algorithm 'aes' is deprecated");
+               }
        }
 
        obj = NULL;