If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time.  Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@

Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
host_dns() uses the same procedure.
OK naddy

This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent.  The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@

ok phessler@ deraadt@

time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses.  This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present.  This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@

OK henning@

reported by Jonas 'Sortie' Termansen

- Nothing seems to free the result of host_dns(), so add host_dns_free() and
call after each query.
- If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the
freed buf in imsg_close().
ok millert@ deraadt@

generations don't try to change any of the values and break the code.
ok deraadt

unbreak config file address parsing

Match what parse.y expects it to return.
ok millert@

to use. "sensors *" just uses all. untested due to lack of hardware.
hacked on the road somewhere between vancouver and calgary

but more correct.
from  Michael Knudsen <e@molioner.dk>

guaranteed that its res_init() call was done once before fork etc...
that is no longer the case. call res_init() in main() early.

don't whine about temporary dns errors

asking the privileged one to do it. sends back an imsg with the
resulting addresses in a bunch of struct sockaddr_storage in the data
part.
this should fix all remaining issues with dns (non-)availability at
ntpd startup, be it due to named on localhost or something else.
tested by marco@ and Chris Paul <chris.paul@sentinare.com>

easier

to resolve the hostname every 60 seconds
fixes ntpd invocations before e. g. a dialup link is established and such.
as we want ntpd to be a "fire and forget" background daemon it should
cope with such situations.
tested by many

fixes the dns resolves to v4 and v6 addresses bug found by phessler
hacked on the Calgary->Montreal flight that proved that Air Canada _does_
have some modern aircrafts with good seats

listen on *
listens, well, everywhere.

struct ntp_addr, which just wraps a sockaddr_storage and a next pointer,
so that host_dns can return more than one entry.
let host_dns do exactly that, return a list of all IPs for that hostname
adjust all callers in the grammar to cope with that

for now, one can set the addresses to listen on