definition; from Michael Forney

does not work. Make that more clear in the log and ntpdctl -s status.
report by and ok benno@

for these. ok deraadt@

used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@

- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.

are relative to monotime; so they shift when time is being adjusted.
2) Fix a race between SIGCHLD delivery and reading the result imsg.
3) Some cleanup: use a number to distinguish pools internally

and net config can change as well. So if a peer does not respond,
throw it out of the pool if it's a pool member and re-resolve to
find a replacement. Hold on to good peers so we end up with a good
set of peers. ok benno@

the log destination changes. ok claudio@ benno@

an (auto) settime or give up. 15s timeout is still in effect. ok florian@

engine does not know if we're in startup mode, so use a small interval
the first few times there.

ok benno@

(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@

an absolute value and fix poll loop to first generate messages and
then compute poll flags the write cases. This makes the timeout
workaround for constraints unneeded.  ok reyk@ tb@

with once the clock is synced. ok deraadt@ florian@

If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time.  Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@

as unsynced. reported by naddy, also seen by me (I noticed because
monitoring-plugins check_ntp complained). ok claudio henning

sensors, mark us unsynced again. ok reyk krw, pt out / discussion / help naddy

address for outgoing ntp queries.
From Job Snijders, thanks!
with feedback and ok henning@

it, remove some verbose shutdown messages that we had before with pipe
close.
ok reyk@

ok reyk@, bcook@

part of the original ISC license that we use in OpenBSD.  Done for
files were Henning is the original author.
OK henning@ deraadt@

OK bcook@ jung@

we have ntpctl now and ntpd doesn't need redundant/obsolete features.
Pointed out by naddy@, with input from zhuk@ (SIGINFO doesn't need SIG_IGN)
OK deraadt@

non-sensical.  The dns lookups happened in the process routing table
(usually '0'), which is very likely to have different results from the
other routing domains.  If you do depend on having this behaviour,
you'll need to use pf to cross the rtable boundary.
"listen on * rtable X" is still supported.
Users of "server * rtable X" will need to switch to launching ntpd with
"route -T X exec /usr/sbin/ntpd"
OK deraadt@

This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent.  The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@

including fork/exec cost, it would be better if constraints were
forked from the master process, which would then tell the ntp
engine.  That would increase accuracy and security.
Lots of conversations with reyk and bcook

than < for the comparison.  Otherwise, if we don't do enough work
in the loop to advance the clock (for instance if the network is
down) we may end up calling poll() multiple times with no timeout,
racking up CPU time for no real reason.  OK bcook@

ok deraadt@ phessler@ claudio@

ok phessler@ deraadt@

ok bcook

henning@ 9 years ago because of an issue with the /dev/hotplug device
- it does not support multiple readers opening it.  Nobody ever cared
enough to fix it so it is time to sent the dead code to the Attic.
OK henning@ (feeling sad about it), mpi@ and others

ok reyk@

allows to get constraint addresses even if network/DNS is not
available at startup (or system boot).
thumbs up & OK henning@

time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses.  This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present.  This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@

ok phessler@ deraadt@

ok tedu@ deraadt@

peanuts -- but all work has to start somewhere.

suggested by deraadt@ re: more general MIN/MAX cleanups

Switch to local definitions where MAX is needed.
discussed with deraadt@

Nothing is done with the return value from ntp_dns, and it already calls
fatal() on failure.
ok deraadt@

for free, FREE, FREEEEE
ok doug

ok krw

diff from Mike Miller <mmiller mgm51 com> (many thanks!)
OK phessler@, henning@, todd@

Previously, when there is an even number of offsets, we did the average
of the two middle offets but would set the REFID from one of them.
Instead, we simply select the middle offset with the lowest delay.
diff from Mike Miller <mmiller mgm51 com> (many thanks!)
OK phessler@, henning@

This basically adds the "rtable %d" keyword to "listen on", "server",
"servers" keywords, to specify which routing table to use.
OK henning@ claudio@ sthen@
manpage reviewed by jmc@

pointed out by Running Razor <runningrazor at web dot de>

deserves to get credited for this, but I have no idea where that came from