iburst and oburst do not work with nts on non-standard port

This is a tricky bug, I think. I have tried so many combinations, I am now confused.

I am trying out NTS. I am using a mix of servers, @hal.murray and @garyedmundsmiller , as well as the IETF Hackathon. The latter are on non-standard ports (for the NTS-KE).

This works:

server -4 ntp1.glypnod.com iburst oburst burst nts
server -4 ntp2.glypnod.com nts
server -4 zoo.weinigel.se:4446 nts  # NTP Port negotiation will fail.
server -4 nts-test.strangled.net:443 nts
server -4 nts3-e.ostfalia.de:443 burst nts noval

This does not

server -4 ntp1.glypnod.com iburst oburst burst nts
server -4 ntp2.glypnod.com nts
server -4 zoo.weinigel.se:4446 nts
server -4 nts-test.strangled.net:443 iburst oburst burst nts
server -4 nts3-e.ostfalia.de:443 iburst oburst burst nts noval

For the second case, the log says:

2019-03-24T00:35:41 ntpd[5980]: DNS: dns_probe: ntp1.glypnod.com, cast_flags:1, flags:20901
2019-03-24T00:35:41 ntpd[5980]: DNS: dns_check: processing ntp1.glypnod.com, 1, 20901
2019-03-24T00:35:41 ntpd[5980]: DNS: Server taking: 104.131.155.175
2019-03-24T00:35:41 ntpd[5980]: DNS: Server poking hole in restrictions for: 104.131.155.175
2019-03-24T00:35:41 ntpd[5980]: PROTO: 104.131.155.175 unlink local addr 127.0.0.1 -> 203.123.48.219
2019-03-24T00:35:41 ntpd[5980]: DNS: dns_take_status: ntp1.glypnod.com=>good, 0
2019-03-24T00:35:41 ntpd[5980]: PROTO: 104.131.155.175 a014 84 reachable
2019-03-24T00:35:42 ntpd[5980]: DNS: dns_probe: ntp2.glypnod.com, cast_flags:1, flags:21801
2019-03-24T00:35:42 ntpd[5980]: NTSc: DNS lookup of ntp2.glypnod.com took 0.069 sec
2019-03-24T00:35:42 ntpd[5980]: NTSc: nts_probe connecting to ntp2.glypnod.com:123 => 178.62.68.79:123
2019-03-24T00:35:42 ntpd[5980]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256)
2019-03-24T00:35:42 ntpd[5980]: NTSc: certificate subject name: /CN=ntp2.glypnod.com
2019-03-24T00:35:42 ntpd[5980]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-03-24T00:35:42 ntpd[5980]: NTSc: certificate is valid.
2019-03-24T00:35:43 ntpd[5980]: NTSc: read 880 bytes
2019-03-24T00:35:43 ntpd[5980]: NTSc: Got 8 cookies, length 104, aead=15.
2019-03-24T00:35:43 ntpd[5980]: NTSc: NTS-KE req to ntp2.glypnod.com took 0.797 sec, OK
2019-03-24T00:35:43 ntpd[5980]: DNS: dns_check: processing ntp2.glypnod.com, 1, 21801
2019-03-24T00:35:43 ntpd[5980]: DNS: Server taking: 178.62.68.79
2019-03-24T00:35:43 ntpd[5980]: DNS: Server poking hole in restrictions for: 178.62.68.79
2019-03-24T00:35:43 ntpd[5980]: PROTO: 178.62.68.79 unlink local addr 127.0.0.1 -> 203.123.48.219
2019-03-24T00:35:43 ntpd[5980]: DNS: dns_take_status: ntp2.glypnod.com=>good, 0
2019-03-24T00:35:43 ntpd[5980]: DNS: dns_probe: zoo.weinigel.se:4446, cast_flags:1, flags:21801
2019-03-24T00:35:43 ntpd[5980]: CLOCK: ts_prev 1553358943 s + 302822481 ns, ts_min 1553358943 s + 302822481 ns
2019-03-24T00:35:43 ntpd[5980]: CLOCK: ts 1553358943 s + 302822481 ns
2019-03-24T00:35:43 ntpd[5980]: CLOCK: sys_fuzz 521 nsec, prior fuzz 0.000000093
2019-03-24T00:35:43 ntpd[5980]: CLOCK: this fuzz -0.000000420
2019-03-24T00:35:43 ntpd[5980]: CLOCK: prev get_systime 0xe040dedf.4d9080de is 0.000164136 later than 0xe040dedf.4d85bf1f
2019-03-24T00:35:43 ntpd[5980]: NTSc: DNS lookup of zoo.weinigel.se:4446 took 0.001 sec
2019-03-24T00:35:43 ntpd[5980]: NTSc: nts_probe connecting to zoo.weinigel.se:4446 => 37.46.169.123:4446
2019-03-24T00:35:44 ntpd[5980]: NTSc: Using TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 (256)
2019-03-24T00:35:44 ntpd[5980]: NTSc: certificate subject name: /CN=zoo.weinigel.se
2019-03-24T00:35:44 ntpd[5980]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-03-24T00:35:44 ntpd[5980]: NTSc: certificate is valid.
2019-03-24T00:35:44 ntpd[5980]: NTSc: read 854 bytes
2019-03-24T00:35:44 ntpd[5980]: NTSc: received strange type: T=7, C=1, L=2
2019-03-24T00:35:44 ntpd[5980]: NTSc: NTS-KE req to zoo.weinigel.se:4446 took 1.139 sec, fail
2019-03-24T00:35:44 ntpd[5980]: DNS: dns_check: processing zoo.weinigel.se:4446, 1, 21801
2019-03-24T00:35:44 ntpd[5980]: DNS: dns_take_status: zoo.weinigel.se:4446=>error, 12
2019-03-24T00:35:45 ntpd[5980]: DNS: dns_probe: nts3-e.ostfalia.de:443, cast_flags:1, flags:20901
2019-03-24T00:35:45 ntpd[5980]: DNS: dns_check: processing nts3-e.ostfalia.de:443, 1, 20901
2019-03-24T00:35:45 ntpd[5980]: DNS: dns_check: DNS error: -2, Name or service not known
2019-03-24T00:35:45 ntpd[5980]: DNS: dns_take_status: nts3-e.ostfalia.de:443=>error, 12
2019-03-24T00:35:46 ntpd[5980]: DNS: dns_probe: nts-test.strangled.net:443, cast_flags:1, flags:20901
2019-03-24T00:35:46 ntpd[5980]: DNS: dns_check: processing nts-test.strangled.net:443, 1, 20901
2019-03-24T00:35:46 ntpd[5980]: DNS: dns_check: DNS error: -2, Name or service not known
2019-03-24T00:35:46 ntpd[5980]: DNS: dns_take_status: nts-test.strangled.net:443=>error, 12

Note that for ntp1.glypnod.com, it associates as a non-NTS. The burst keyword causes no error for ntp2. But where iburst and oburst are specified, the DNS fails.

I think I have confused myself enough. I remember a discussion on the list, can someone tell me the supported format of the config line for nts? Apart from noval, what else can I specify? And in what order?