For NTS the server must have an valid tls-certificate so random a or aaaa records doesn’t fit into it. Otherwise NTP Pool have to create for every joining server a ssl-certificate and would get to a certificate authority. I don’t think that this would be practical and can’t scale. If we want a secure and stable system for NTP Pool, I think srv dns records could fit into the system. Every Server is responsible to have a valid ssl-certificate. The pool can check if the server has a valid certificate and integrate it into the pool of server which are randomized for response in the srv records.
At the moment ntpsec or ntpd don’t support dns srv records for pool. But a lot of configuration management systems(ansible, chef, puppet) can resolve the dns srv record and write through a template some server records to the ntpsec configs. Of course would it be very cool if ntpsec could integrate dns srv records as pool source.