ldns-dane: invalid option -- '-' ldns-dane version 1.6.17 (ldns version 1.6.17)

ldns-dane: invalid option -- '-' Usage: ldns-dane [OPTIONS] verify <name> <port> or: ldns-dane [OPTIONS] -t <tlsafile> verify Verify the TLS connection at <name>:<port> or use TLSA record(s) from <tlsafile> to verify the TLS service they reference. or: ldns-dane [OPTIONS] create <name> <port> [<usage> [<selector> [<type>]]] Use the TLS connection(s) to <name> <port> to create the TLSA resource record(s) that would authenticate the connection. <usage> 0: CA constraint 1: Service certificate constraint 2: Trust anchor assertion 3: Domain-issued certificate (default) <selector> 0: Full certificate (default) 1: SubjectPublicKeyInfo <type> 0: No hash used 1: SHA-256 (default) 2: SHA-512 OPTIONS: -h show this text -4 TLS connect IPv4 only -6 TLS connect IPv6 only -a <address> don't resolve <name>, but connect to <address>(es) -b print "<name>. TYPE52 \#<size> <hex data>" form -c <certfile> verify or create TLSA records for the certificate (chain) in <certfile> -d assume DNSSEC validity even when insecure or bogus -f <CAfile> use CAfile to validate -i interact after connecting -k <keyfile> use DNSKEY/DS rr(s) in <keyfile> to validate TLSAs when signature chasing (i.e. -S) Default is /etc/unbound/root.key -n do *not* verify server name in certificate -o <offset> select <offset>th certificate from the end of the validation chain. -1 means self-signed at end -p <CApath> use certificates in the <CApath> directory to validate -s assume PKIX validity -S Chase signature(s) to a known key -t <tlsafile> do not use DNS, but read TLSA record(s) from <tlsafile> -T Return exit status 2 for PKIX validated connections without (secure) TLSA records(s) -u use UDP transport instead of TCP -v show version and exit