diff --git a/src/const-info.c b/src/const-info.c
index d1e81c80..1288061c 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -90,7 +90,7 @@ static struct const_info consts_info[] = {
 	{ 1201, "GETDNS_TRANSPORT_TCP", GETDNS_TRANSPORT_TCP_TEXT },
 	{ 1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
 	{ 1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
-	{ 1301, "GETDNS_AUTHENTICATION_HOSTNAME", GETDNS_AUTHENTICATION_HOSTNAME_TEXT },
+	{ 1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT },
 };
 
 static int const_info_cmp(const void *a, const void *b)
diff --git a/src/context.c b/src/context.c
index 5e9a0b9d..1d9feb8b 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1487,7 +1487,7 @@ getdns_context_set_tls_authentication(getdns_context *context,
 {
     RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
     if (value != GETDNS_AUTHENTICATION_NONE && 
-        value != GETDNS_AUTHENTICATION_HOSTNAME) {
+        value != GETDNS_AUTHENTICATION_REQUIRED) {
         return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
     }
     context->tls_auth = value;
@@ -2462,8 +2462,8 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 #endif
 		}
 		if (tls_only_is_in_transports_list(context) == 1 && 
-		    context->tls_auth == GETDNS_AUTHENTICATION_HOSTNAME) {
-			context->tls_auth_min = GETDNS_AUTHENTICATION_HOSTNAME;
+		    context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED) {
+			context->tls_auth_min = GETDNS_AUTHENTICATION_REQUIRED;
 			/* TODO: If no auth data provided for any upstream, fail here */
 		}
 		else {
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index dea756a6..cc679cf8 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -418,7 +418,8 @@ uint32_t getdns_get_api_version_number(void);
 /* Authentication options used when doing TLS */
 typedef enum getdns_tls_authentication_t {
 	GETDNS_AUTHENTICATION_NONE = 1300,
-	GETDNS_AUTHENTICATION_HOSTNAME = 1301,
+	GETDNS_AUTHENTICATION_REQUIRED = 1301,
+	GETDNS_AUTHENTICATION_HOSTNAME = 1301, /* an alias for REQUIRED */
 } getdns_tls_authentication_t;
 
 /**
@@ -426,7 +427,7 @@ typedef enum getdns_tls_authentication_t {
   * @{
   */
 #define GETDNS_AUTHENTICATION_NONE_TEXT "See getdns_context_set_tls_authentication()"
-#define GETDNS_AUTHENTICATION_HOSTNAME_TEXT "See getdns_context_set_tls_authentication()"
+#define GETDNS_AUTHENTICATION_REQUIRED_TEXT "See getdns_context_set_tls_authentication()"
 /** @}
   */
 
diff --git a/src/stub.c b/src/stub.c
index e8663ece..4655f1b4 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -835,7 +835,7 @@ tls_failed(getdns_upstream *upstream)
 
 static int
 tls_auth_status_ok(getdns_upstream *upstream, getdns_network_req *netreq) {
-	return (netreq->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME &&
+	return (netreq->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED &&
 		    upstream->tls_auth_failed) ? 0 : 1;
 }
 
@@ -909,7 +909,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
 #else
-		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
+		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
 			/* TODO: Trigger post-handshake custom validation*/
 			DEBUG_STUB("--- %s, ERROR: TLS Authentication functionality not available\n", __FUNCTION__);
 			upstream->tls_hs_state = GETDNS_HS_FAILED;
@@ -918,11 +918,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		}
 #endif
 		/* Allow fallback to opportunistic if settings permit it*/
-		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_HOSTNAME)
+		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
 			upstream->tls_fallback_ok = 1;
 	} else {
 		/* Lack of host name is OK unless only authenticated TLS is specified*/
-		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) {
+		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
 			DEBUG_STUB("--- %s, ERROR: No host name provided for TLS authentication\n", __FUNCTION__);
 			upstream->tls_hs_state = GETDNS_HS_FAILED;
 			upstream->tls_auth_failed = 1;
diff --git a/src/test/getdns_query.c b/src/test/getdns_query.c
index 2f089a82..a0e36e8e 100644
--- a/src/test/getdns_query.c
+++ b/src/test/getdns_query.c
@@ -481,7 +481,7 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t-K <pin>\tPin a public key for TLS connections (can repeat)\n");
 	fprintf(out, "\t\t(should look like '" EXAMPLE_PIN "')\n");
 	fprintf(out, "\t-n\tSet TLS authentication mode to NONE (default)\n");
-	fprintf(out, "\t-m\tSet TLS authentication mode to HOSTNAME\n");
+	fprintf(out, "\t-m\tSet TLS authentication mode to REQUIRED\n");
 	fprintf(out, "\t-p\tPretty print response dict\n");
 	fprintf(out, "\t-P <blocksize>\tPad TLS queries to a multiple of blocksize\n");
 	fprintf(out, "\t-r\tSet recursing resolution type\n");
@@ -865,7 +865,7 @@ getdns_return_t parse_args(int argc, char **argv)
 				break;
 			case 'm':
 				getdns_context_set_tls_authentication(context,
-				                 GETDNS_AUTHENTICATION_HOSTNAME);
+				                 GETDNS_AUTHENTICATION_REQUIRED);
 				break;
 			case 'P':
 				if (c[1] != 0 || ++i >= argc || !*argv[i]) {