currently, if no --hkp-cacert option is provided, and the keyserver hostname is
anything but hkps.pool.sks-keyservers.net, no X.509 trust anchors are used,
which means that hkps connections from dirmngr must fail.
Instead, hkps connections from dirmngr should default to using system trust,
which could be overridden by setting hkp-cacert directly.
see initial discussion here: