From 220a4a33169724e03919672726ab266982afb1b7 Mon Sep 17 00:00:00 2001
From: DarkCat09 <gh@dc09.ru>
Date: Wed, 28 Aug 2024 14:42:27 +0400
Subject: [PATCH] fix: filter out non-full TLSA (we can't extract public key
 for now)

---
 src/dns.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/dns.rs b/src/dns.rs
index 95fa74f..e7056f4 100644
--- a/src/dns.rs
+++ b/src/dns.rs
@@ -89,7 +89,9 @@ impl DnsClient {
             Ok(answers.into_iter().filter_map(|rec| {
                 if let Some(RData::TLSA(tlsa)) = rec.data() {
                     if tlsa.cert_usage() == CertUsage::DomainIssued
-                        && tlsa.selector() == Selector::Spki
+                        // maybe implement extracting public key later,
+                        // but for now only accept TLSA records with full certs hashed
+                        && tlsa.selector() == Selector::Full
                     {
                         match tlsa.matching() {
                             Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())