from next

README.md

@@ -51,10 +51,8 @@ Application Options:
       --no-reuse-conn          Use a new connection for each query
       --txtconcat              Concatenate TXT responses
       --recaxfr                Perform recursive AXFR
-  -f, --format=                Output format (pretty, json, yaml, raw)
-                               (default: pretty)
-      --pretty-ttls            Format TTLs in human readable format (default:
-                               true)
+  -f, --format=                Output format (pretty, json, yaml, raw) (default: pretty)
+      --pretty-ttls            Format TTLs in human readable format (default: true)
       --color                  Enable color output
       --question               Show question section
       --answer                 Show answer section (default: true)
@@ -63,14 +61,12 @@ Application Options:
   -S, --stats                  Show time statistics
       --all                    Show all sections and statistics
   -w                           Resolve ASN/ASName for A and AAAA records
-  -r, --value                  Show record values only
-  -R, --resolve-ips            Resolve PTR records for IP addresses in A and
-                               AAAA records
+  -r, --short                  Show record values only
+  -R, --resolve-ips            Resolve PTR records for IP addresses in A and AAAA records
       --aa                     Set AA (Authoritative Answer) flag in query
       --ad                     Set AD (Authentic Data) flag in query
       --cd                     Set CD (Checking Disabled) flag in query
-      --rd                     Set RD (Recursion Desired) flag in query
-                               (default: true)
+      --rd                     Set RD (Recursion Desired) flag in query (default: true)
       --ra                     Set RA (Recursion Available) flag in query
       --z                      Set Z (Zero) flag in query
       --t                      Set TC (Truncated) flag in query
@@ -80,18 +76,18 @@ Application Options:
       --tls-max-version=       Maximum TLS version to use (default: 1.3)
       --tls-next-protos=       TLS next protocols for ALPN
       --tls-cipher-suites=     TLS cipher suites
+      --tls-client-cert=       TLS client certificate file
+      --tls-client-key=        TLS client key file
       --http-user-agent=       HTTP user agent
       --http-method=           HTTP method (default: GET)
       --quic-alpn-tokens=      QUIC ALPN tokens (default: doq, doq-i11)
       --quic-no-pmtud          Disable QUIC PMTU discovery
       --quic-no-length-prefix  Don't add RFC 9250 compliant length prefix
       --dnscrypt-tcp           Use TCP for DNSCrypt (default UDP)
-      --dnscrypt-udp-size=     Maximum size of a DNS response this client can
-                               sent or receive (default: 0)
+      --dnscrypt-udp-size=     Maximum size of a DNS response this client can sent or receive (default: 0)
       --dnscrypt-key=          DNSCrypt public key
       --dnscrypt-provider=     DNSCrypt provider name
-      --default-rr-types=      Default record types (default: A, AAAA, NS, MX,
-                               TXT, CNAME)
+      --default-rr-types=      Default record types (default: A, AAAA, NS, MX, TXT, CNAME)
       --udp-buffer=            Set EDNS0 UDP size in query (default: 1232)
   -v, --verbose                Show verbose log messages
       --trace                  Show trace log messages
@@ -145,10 +141,7 @@ go install -ldflags="-s -w -X main.version=release"
 ### TLS Decryption
 
 `q` supports TLS decryption through a key log file generated when
-the `SSLKEYLOGFILE` environment variable is set to the absolute path of a
-writable file.
-
-The generated file may be used by Wireshark to decipher the captured traffic.
+the `SSLKEYLOGFILE` environment variable is set to a file path.
 
 ### Feature Comparison
 

cli/flags.go

@@ -33,7 +33,7 @@ type Flags struct {
 	ShowStats      bool   `short:"S" long:"stats" description:"Show time statistics"`
 	ShowAll        bool   `long:"all" description:"Show all sections and statistics"`
 	Whois          bool   `short:"w" description:"Resolve ASN/ASName for A and AAAA records"`
-	ValueOnly      bool   `short:"r" long:"value" description:"Show record values only"`
+	ValueOnly      bool   `short:"r" long:"short" description:"Show record values only"`
 	ResolveIPs     bool   `short:"R" long:"resolve-ips" description:"Resolve PTR records for IP addresses in A and AAAA records"`
 
 	// Header flags
@@ -45,13 +45,15 @@ type Flags struct {
 	Zero                bool `long:"z" description:"Set Z (Zero) flag in query"`
 	Truncated           bool `long:"t" description:"Set TC (Truncated) flag in query"`
 
-	// TCP parameters
-	TLSNoVerify     bool     `short:"i" long:"tls-no-verify" description:"Disable TLS certificate verification"`
-	TLSServerName   string   `long:"tls-server-name" description:"TLS server name for host verification"`
-	TLSMinVersion   string   `long:"tls-min-version" description:"Minimum TLS version to use" default:"1.0"`
-	TLSMaxVersion   string   `long:"tls-max-version" description:"Maximum TLS version to use" default:"1.3"`
-	TLSNextProtos   []string `long:"tls-next-protos" description:"TLS next protocols for ALPN"`
-	TLSCipherSuites []string `long:"tls-cipher-suites" description:"TLS cipher suites"`
+	// TLS parameters
+	TLSNoVerify          bool     `short:"i" long:"tls-no-verify" description:"Disable TLS certificate verification"`
+	TLSServerName        string   `long:"tls-server-name" description:"TLS server name for host verification"`
+	TLSMinVersion        string   `long:"tls-min-version" description:"Minimum TLS version to use" default:"1.0"`
+	TLSMaxVersion        string   `long:"tls-max-version" description:"Maximum TLS version to use" default:"1.3"`
+	TLSNextProtos        []string `long:"tls-next-protos" description:"TLS next protocols for ALPN"`
+	TLSCipherSuites      []string `long:"tls-cipher-suites" description:"TLS cipher suites"`
+	TLSClientCertificate string   `long:"tls-client-cert" description:"TLS client certificate file"`
+	TLSClientKey         string   `long:"tls-client-key" description:"TLS client key file"`
 
 	// HTTP
 	HTTPUserAgent string `long:"http-user-agent" description:"HTTP user agent" default:""`

main.go

@@ -444,6 +444,16 @@ All long form (--) flags can be toggled with the dig-standard +[no]flag notation
 		CipherSuites:       parseTLSCipherSuites(opts.TLSCipherSuites),
 	}
 
+	// TLS client certificate authentication
+	if opts.TLSClientCertificate != "" {
+		cert, err := tls.LoadX509KeyPair(opts.TLSClientCertificate, opts.TLSClientKey)
+		if err != nil {
+			return fmt.Errorf("unable to load client certificate: %s", err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+
+	// TLS secret logging
 	if klf := os.Getenv("SSLKEYLOGFILE"); klf != "" {
 		log.Warnf("SSLKEYLOGFILE is set! TLS master secrets will be logged.")
 		keyLog, err := os.OpenFile(klf, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0666)