fix: filter out non-full TLSA (we can't extract public key for now)
This commit is contained in:
parent
060aa4a1f7
commit
220a4a3316
1 changed files with 3 additions and 1 deletions
|
@ -89,7 +89,9 @@ impl DnsClient {
|
|||
Ok(answers.into_iter().filter_map(|rec| {
|
||||
if let Some(RData::TLSA(tlsa)) = rec.data() {
|
||||
if tlsa.cert_usage() == CertUsage::DomainIssued
|
||||
&& tlsa.selector() == Selector::Spki
|
||||
// maybe implement extracting public key later,
|
||||
// but for now only accept TLSA records with full certs hashed
|
||||
&& tlsa.selector() == Selector::Full
|
||||
{
|
||||
match tlsa.matching() {
|
||||
Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())
|
||||
|
|
Loading…
Reference in a new issue