fix: filter out non-full TLSA (we can't extract public key for now)

This commit is contained in:
DarkCat09 2024-08-28 14:42:27 +04:00
parent 060aa4a1f7
commit 220a4a3316
Signed by: DarkCat09
GPG key ID: BD3CE9B65916CD82

View file

@ -89,7 +89,9 @@ impl DnsClient {
Ok(answers.into_iter().filter_map(|rec| {
if let Some(RData::TLSA(tlsa)) = rec.data() {
if tlsa.cert_usage() == CertUsage::DomainIssued
&& tlsa.selector() == Selector::Spki
// maybe implement extracting public key later,
// but for now only accept TLSA records with full certs hashed
&& tlsa.selector() == Selector::Full
{
match tlsa.matching() {
Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())