Deprecate AES algorithm for DNS cookies

The AES algorithm for DNS cookies was being kept for legacy reasons,
and it can be safely removed in the next major release.  Mark is as
deprecated, so the `named-checkconf` prints a warning when in use.

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 148d5c6c4abfb3b4275fcfb6987ebc46e81f2221..307bf9b65228e764a30f64ba7b5510eff3bce2de 100644 (file)
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -1561,6 +1561,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
        (void)cfg_map_get(options, "cookie-algorithm", &obj);
        if (obj != NULL) {
                ccalg = cfg_obj_asstring(obj);
+               if (strcasecmp(ccalg, "aes") == 0) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+                                   "cookie-algorithm 'aes' is deprecated");
+               }
        }
 
        obj = NULL;