To monitor all domains, require "." to be specified

Now that we save all certs by default, we want to prevent people
from accidentally monitoring all domains, which could lead to MASSIVE
disk usage.

"." is used because it denotes the root zone in DNS.

cmd/ctwatch/main.go

@@ -15,8 +15,17 @@ var stateDir = flag.String("state_dir", cmd.DefaultStateDir("ctwatch"), "Directo
 func main() {
 	flag.Parse()
 
-	var domains []string
+	if flag.NArg() == 0 {
+		fmt.Fprintf(os.Stderr, "Usage: %s [flags] domain ...\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "\n")
+		fmt.Fprintf(os.Stderr, "To read domain list from stdin, use '-'. To monitor all domains, use '.'.\n")
+		fmt.Fprintf(os.Stderr, "See '%s -help' for a list of valid flags.\n", os.Args[0])
+		os.Exit(2)
+	}
+
+	var matcher ctwatch.Matcher
 	if flag.NArg() == 1 && flag.Arg(0) == "-" {
+		var domains []string
 		scanner := bufio.NewScanner(os.Stdin)
 		for scanner.Scan() {
 			domains = append(domains, scanner.Text())
@@ -25,15 +34,11 @@ func main() {
 			fmt.Fprintf(os.Stderr, "%s: Error reading standard input: %s\n", os.Args[0], err)
 			os.Exit(3)
 		}
-	} else {
-		domains = flag.Args()
-	}
-
-	var matcher ctwatch.Matcher
-	if len(domains) == 0 {
+		matcher = ctwatch.NewDomainMatcher(domains)
+	} else if flag.NArg() == 1 && flag.Arg(0) == "." { // "." as in root zone
 		matcher = ctwatch.MatchAll{}
 	} else {
-		matcher = ctwatch.NewDomainMatcher(domains)
+		matcher = ctwatch.NewDomainMatcher(flag.Args())
 	}
 
 	cmd.Main(*stateDir, matcher)