[alwillis]

It’s not the job of GnuPG to validate DNSSEC signatures; that’s what a DNSSEC-aware resolver like BIND, Unbound or Knot does. If you’re not using such a resolver, all bets are off regarding trusting anything in the DNS.

But it’s certainly easy enough for GnuPG to check the DNS flags to verify the resolver has validated the DNSSEC signatures, therefore authenticating the openpgp record for its use, which is the point.

This is how DANE records work; SSH doesn’t validate DNSSEC signatures either but that doesn’t stop it from using SSHFP records in the DNS when they’ve been signed.