Re: client should never accept a time that's wildly different
NTP is unauthenticated. DNSSEC won't help if you can set up a server which will service the IP address that the DNS hands out.
time.apple.com resolves to 17.253.x.x (lots, in a round robin config)... it would be trivial to set up a device locally to impersonate those addresses.