The article doesn't cover the inane stupid that is:

* NTP pool server usage requires using DNS

* people have DNSSEC setup, which requires accurate time or it fails

So if your clock is off, you cannot lookup NTP pool servers via DNS, and therefore cannot set your clock.

This sheer stupid has been discussed with package maintainers of major distros, with ntpsec, and the result is a mere shrug. Often, the answer is "but doesn't your device have a battery backed clock?", which is quite unhelpful. Many devices (routers, IOT devices, small boards, or older machines, etc) don't have a battery backed clock, or alternatively the battery may just have died.

Beyond that, the ntpsec codebase has a horrible bug where if DNS is not available when ntpsec starts, pool server addresses are never, ever retried. So if you have a complete power-fail in a datacentre rack, and your firewalls take a little longer to boot than your machines, you'll have to manually restart ntpsec to even get it to ever sync.

When discussing this bug the ntpsec lads were confused that DNS might not exist at times.

Long story short, make sure you aren't using DNS in any capacity, in NTP configs, and most especially in ntpsec configs.

One good source is just using the IPs provided by NIST. Pool servers may seem fine, but I'd trust IPs assigned to NIST to exist longer than any DNS anyhow. EG, for decades.