-<% when /(widor|argento).debian.org/: -%>
-server 195.49.152.213 iburst
-server 195.49.152.37 iburst
-<% else -%>
-server geo1.debian.org iburst dynamic
-server geo2.debian.org iburst dynamic
-server geo3.debian.org iburst dynamic
+<% elsif scope.lookupvar('site::nodeinfo')['misc']['natted'] or %w{wheezy}.include?(scope.lookupvar('::lsbdistcodename')) -%>
+# autokey doesn't work behind nat
+
+# merikanto's and orff's ipv4 IP, hard coded for the benefit of hosts
+# that do not have RTC's (since they won't be able to do DNS until
+# they have a reasonable clock).
+server 86.59.118.147 iburst
+server 194.177.211.209 iburst
+
+server merikanto.debian.org iburst
+server orff.debian.org iburst
+server ravel.debian.org iburst
+server busoni.debian.org iburst
+<% else -%>
+server merikanto.debian.org iburst autokey
+server orff.debian.org iburst autokey
+server ravel.debian.org iburst autokey
+server busoni.debian.org iburst autokey
+restrict merikanto.debian.org notrust nomodify notrap ntpport
+restrict orff.debian.org notrust nomodify notrap ntpport
+restrict ravel.debian.org notrust nomodify notrap ntpport
+restrict busoni.debian.org notrust nomodify notrap ntpport