kdig +tls sends bad SNI
When the server is specified by IP address (the usual case), kdig sends the address as the server name identification during handshake. That is not permitted:
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
Using IPs may cause rejection by the server: knot-resolver#265 (comment 59282)