kdig +tls-hostname +tls should imply +tls-ca if neither +tls-ca nor +tls-pin is given
Consider this command:
kdig +tls +tls-hostname=dns.cmrg.net @22.214.171.124 example.org
It currently returns:
;; WARNING: TLS, handshake failed (Error in the certificate.) ;; WARNING: failed to query server 126.96.36.199@853(TCP)
But the following command works:
kdig +tls +tls-ca +tls-hostname=dns.cmrg.net @188.8.131.52 example.org
So presumably the failure is due to there being no certificate authorities listed at all.
This doesn't make sense as a default state.
+tls (opportunistic) gets upgraded to strict when
+tls-hostname gets added, but the default list of certificate authorities doesn't get included.