fix: filter out non-full TLSA (we can't extract public key for now)

2024-08-28 14:42:27 +04:00 · 2024-08-28 14:42:27 +04:00 · 220a4a3316
commit 220a4a3316
parent 060aa4a1f7
1 changed files with 3 additions and 1 deletions
--- a/src/dns.rs
+++ b/src/dns.rs
@ -89,7 +89,9 @@ impl DnsClient {
            Ok(answers.into_iter().filter_map(|rec| {
                if let Some(RData::TLSA(tlsa)) = rec.data() {
                    if tlsa.cert_usage() == CertUsage::DomainIssued
-                        && tlsa.selector() == Selector::Spki
+                        // maybe implement extracting public key later,
+                        // but for now only accept TLSA records with full certs hashed
+                        && tlsa.selector() == Selector::Full
                    {
                        match tlsa.matching() {
                            Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())