kdig +tls sends bad SNI
When the server is specified by IP address (the usual case), kdig sends the address as the server name identification during handshake. That is not permitted:
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
Using IPs may cause rejection by the server: https://gitlab.labs.nic.cz/knot/knot-resolver/issues/265#note_59282