document server/servers "trusted" sub-option. Indicates a particular

server is wired up such that non MITM attacks are possible, and NTP
packets can be trusted.  Therefore constraint validity is not required,
and during boot ntpd can spin-up correct time faster.
with otto, ok jmc schwarze

src/usr.sbin/ntpd/ntpd.conf.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: ntpd.conf.5,v 1.39 2019/11/10 18:46:53 deraadt Exp $
+.\" $OpenBSD: ntpd.conf.5,v 1.40 2019/11/10 19:28:34 deraadt Exp $
 .\"
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
 .\"
@@ -146,6 +146,7 @@ A server with a weight of 5, for example,
 will have five times more influence on time offset calculation
 than a server with a weight of 1.
 .It Xo Ic server Ar address
+.Op Ic trusted
 .Op Ic weight Ar weight-value
 .Xc
 Specify the IP address or the hostname of an NTP
@@ -169,7 +170,19 @@ server ntp.example.org weight 1
 To provide redundancy, it is good practice to configure multiple servers.
 In general, best accuracy is obtained by using servers that have a low
 network latency.
+.Pp
+The
+.Ic trusted
+keyword indicates the server is connected closely on a secure network such that
+NTP packets cannot be injected as man-in-the-middle attacks.
+NTP packets from these servers are considered truthful without validation
+by
+.Ic constraints .
+This is useful for boot-time correction in environments where
+.Ic constraints
+cannot be used.
 .It Xo Ic servers Ar address
+.Op Ic trusted
 .Op Ic weight Ar weight-value
 .Xc
 As with