While we do currently show a failure on invalid TLSA records, some use cases may prefer we reject the connection entirely in this case.
It is likely best to put this in the Expert settings, but shouldn't be hard to add generally.
It's a bit quiet in here.