kdig +tls-hostname +tls should imply +tls-ca if neither +tls-ca nor +tls-pin is given

Consider this command:

kdig +tls +tls-hostname=dns.cmrg.net @199.58.81.218 example.org

It currently returns:

;; WARNING: TLS, handshake failed (Error in the certificate.)
;; WARNING: failed to query server 199.58.81.218@853(TCP)

But the following command works:

kdig +tls +tls-ca +tls-hostname=dns.cmrg.net @199.58.81.218 example.org

So presumably the failure is due to there being no certificate authorities listed at all.

This doesn't make sense as a default state.

Apparently +tls (opportunistic) gets upgraded to strict when +tls-hostname gets added, but the default list of certificate authorities doesn't get included.

Admin message

kdig +tls-hostname +tls should imply +tls-ca if neither +tls-ca nor +tls-pin is given