Thanks for the comment!

Having TLS clients ignore the time validity portion of validation when the clock is before the kernel build date (or some hardcoded value) is an interesting idea. I think the safer thing from a security perspective is to wait for the user to fix it, but it might be a good usability/security tradeoff.

I'm working on a new post with more info about solutions, including anycast NTP servers. Cloudflare and Google's servers appear to be anycast. Can you elaborate on why an anycast NTP server would give a poor sync? Do you mean it makes it impossible to do monitoring like pool.ntp.org does?