fix: filter out non-full TLSA (we can't extract public key for now)
This commit is contained in:
parent
060aa4a1f7
commit
220a4a3316
1 changed files with 3 additions and 1 deletions
|
@ -89,7 +89,9 @@ impl DnsClient {
|
||||||
Ok(answers.into_iter().filter_map(|rec| {
|
Ok(answers.into_iter().filter_map(|rec| {
|
||||||
if let Some(RData::TLSA(tlsa)) = rec.data() {
|
if let Some(RData::TLSA(tlsa)) = rec.data() {
|
||||||
if tlsa.cert_usage() == CertUsage::DomainIssued
|
if tlsa.cert_usage() == CertUsage::DomainIssued
|
||||||
&& tlsa.selector() == Selector::Spki
|
// maybe implement extracting public key later,
|
||||||
|
// but for now only accept TLSA records with full certs hashed
|
||||||
|
&& tlsa.selector() == Selector::Full
|
||||||
{
|
{
|
||||||
match tlsa.matching() {
|
match tlsa.matching() {
|
||||||
Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())
|
Matching::Sha256 => CertFingerprint::try_from_sha256(tlsa.cert_data())
|
||||||
|
|
Loading…
Reference in a new issue