nsupdate with DNS over TLS does not work as documented

Currently, in order to make nsupdate with DoT work, I have to specify both -H hostname and server hostname 853, while per-documentation, neither should be needed.

Working solution:

$ nsupdate -d -D -S -H dns.example -g
realm EXAMPLE
server dns.example 853
update delete client.example. in A
update add client.example. 1200 in A 172.16.100.40
send

See that both -H, server and port are set. This works correctly.

---

However, if I omit -H that TLS certificate fails to validate, it should however use the hostname from the server directive: Communication with 172.16.100.10#853 failed: TLS peer certificate verification failed

If I omit port, it tries to establish TLS on port 53 which timeouts. I would expect that -S will imply 853 as the default port instead of 53.

If I omit server, it tries to look it up using port 53 which works but then it tries to update with TLS on port 53 which timeouts. I would expect that first lookup is 53 but then defaults to 853 for TLS when -S is set.

---

Additionally, it should be possible to lookup the server using DoT, currently it just uses unencrypted request.