Heise Article A pretty good overview article on key retrieval and DNSSEC adoption (or lack thereof).
I am removing support for this from NeoPG:
There is very low adoption. Even the author of the standard (pwouters@redhat.com) does not use it. Of 624 Debian email addresses tested, only two use it.
It requires DNSSEC adoption. DNSSEC adoption is low, and setting it up is much more difficult than regular DNS, which is already out of reach for almost all users.
GnuPG does not even verify DNSSEC (at all) and just imports over regular DNS, violating the standard. Also, DNS on gnupg.org does not implement DNSSEC.
All arguments against key retrieval via DNS apply (web bugs, lack of security in DNS, lack of control over DNS by users, difficulty of setting up DNS records, etc). There is some hand waving in the standard about using TLS in recursive DNS servers, but that's a pipe dream at this point.
In the future, NeoPG will provide an API to extend key retrieval and trust evaluation, allowing such experimental protocols to be included in applications without tainting the core code base.
DANE/OPENPGPKEY is an experimental RFC standard for key retrieval over DNS. This is the authoritative document and informational resources:
I am removing support for this from NeoPG:
In the future, NeoPG will provide an API to extend key retrieval and trust evaluation, allowing such experimental protocols to be included in applications without tainting the core code base.