debian.org is DNSSEC-signed, and even has [a delegated, signed subzone for _openpgpkey.debian.org](http://dnsviz.net/d/_openpgpkey.debian.org/dnssec/) that it now uses to publish DANE OPENPGKEY records containing OpenPGP certificates for @debian.org e-mail addresses.
By contrast, fifthhorseman.net is not currently a signed zone.
However, when i do the following with an empty homedir:
gpg --auto-key-locate dane --locate-keys email@example.com firstname.lastname@example.org
then i end up with my certificate C4BC2DDB38CCE96485EBE9C2F20691179038E5C6 with both user IDs attached.
I see no differentiation between the two different User IDs, even when i list them with:
0 $ gpg --with-key-origin --list-keys /tmp/cdtemp.j9n5Yc/pubring.kbx ------------------------------ pub ed25519 2019-01-19 [C] [expires: 2021-01-18] C4BC2DDB38CCE96485EBE9C2F20691179038E5C6 origin=dane last=2019-07-10 uid [ unknown] Daniel Kahn Gillmor <email@example.com> origin=dane last=2019-07-10 uid [ unknown] Daniel Kahn Gillmor <firstname.lastname@example.org> origin=dane last=2019-07-10 sub ed25519 2019-01-19 [S] [expires: 2020-01-19] sub ed25519 2019-01-19 [A] [expires: 2020-01-19] sub cv25519 2019-01-19 [E] [expires: 2020-01-19] 0 $
The fact that both of these records appear to be treated the same suggests that the DNS queries are not validating DNSSEC.
While i think that the certificate discovery via DNS is good in both cases, I think that GnuPG should be able to at least differentiate between records received with a DNSSEC chain and records without one.