fix: filter out non-full TLSA (we can't extract public key for now)

src/dns.rs

@@ -89,7 +89,9 @@ impl DnsClient {
             Ok(answers.into_iter().filter_map(|rec| {
                 if let Some(RData::TLSA(tlsa)) = rec.data() {
                     if tlsa.cert_usage() == CertUsage::DomainIssued
-                        && tlsa.selector() == Selector::Spki
+                        // maybe implement extracting public key later,
+                        // but for now only accept TLSA records with full certs hashed
+                        && tlsa.selector() == Selector::Full
                     {
                         match tlsa.matching() {
                             Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())