Hi, I have been working on a nice feature that improves startup behaviour of ntpd.
Summary: make sure you have at least one constraint source configured and use no options. ntpd will set the clock if needed, even if you machines has no battery backed up clock and is running a DNSSEC validating resolver. Previoulsy, using constraints or a DNSSEC validating resolver would break initial time setting, since doing https certificate and DNSSEC validation requires a proper clock. An we do not have that in above circumstances. In addition to previous work from jsing@ regarding https certificate validation my commits enable time bootstrapping in these adverse conditions. You want to stop using -s if you did, since the new method is more robust and more secure. (-s trusts any ntp reply, while the new automatic mode only does so if several ntp replies were validated). The last commit was a few hours ago, upcoming snaps should have all the nice things. -Otto