There is very low adoption, even less than for PKA and just slightly more than OPENPGPKEY. Of 624 Debian email addresses, only one registered a PGP key, and 3 registered an IPGP URL. The PGP key was registered by the author of the RFC, Simon Josefsson. Two of the IPGP entries did not point to valid PGP data, and one lead to a redirect to PGP data (HTTP 301 Moved Permanently), which GnuPG does not follow. There was also a high rate of errornous or irrelevant responses.
RFC 7929 recommends against RFC 4398:
The OPENPGPKEY RRtype somewhat resembles the generic CERT record
defined in [RFC4398]. However, the CERT record uses sub-typing with
many different types of keys and certificates. It is suspected that
its general application of very different protocols (PKIX versus
OpenPGP) has been the cause for lack of implementation and
deployment. Furthermore, the CERT record uses sub-typing, which is
now considered to be a bad idea for DNS.
All arguments against key retrieval via DNS apply (web bugs, lack of security in DNS, lack of control over DNS by users, difficulty of setting up DNS records, etc).
As this is the last DNS record type for key retrieval in the code, I also removed all supporting code in dirmngr.
In the future, NeoPG will provide an API to extend key retrieval and trust evaluation, allowing such protocols to be included in applications without tainting the core code base.
DNS CERT is a standard for key retrieval over DNS. This is the authoritative document:
I am removing support for DNS CERTs from NeoPG:
As this is the last DNS record type for key retrieval in the code, I also removed all supporting code in dirmngr.
In the future, NeoPG will provide an API to extend key retrieval and trust evaluation, allowing such protocols to be included in applications without tainting the core code base.