From daf113ff2dbf0f06ccaec490568be4cf76611764 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Wed, 6 Nov 2019 19:04:12 +0000
Subject: [PATCH] Perform contraint validation against 9.9.9.9 and 2620:fe::fe
 also (which avoids DNS lookups entirely, but yes this https is correctly
 validated) long discussions with otto, florian, and the quad9 crew.

---
 src/etc/ntpd.conf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/etc/ntpd.conf b/src/etc/ntpd.conf
index 1ff0154d..a4a3b055 100644
--- a/src/etc/ntpd.conf
+++ b/src/etc/ntpd.conf
@@ -1,8 +1,11 @@
-# $OpenBSD: ntpd.conf,v 1.15 2019/07/04 05:19:31 deraadt Exp $
+# $OpenBSD: ntpd.conf,v 1.16 2019/11/06 19:04:12 deraadt Exp $
 #
 # See ntpd.conf(5) and /etc/examples/ntpd.conf
 
 servers pool.ntp.org
 server time.cloudflare.com
 sensor *
-constraints from "https://www.google.com"
+
+constraint from "9.9.9.9"              # quad9 v4 without DNS
+constraint from "2620:fe::fe"          # quad9 v6 without DNS
+constraints from "www.google.com"      # intentionally not 8.8.8.8