Consider the following operations, starting from an empty keyring:
gpg --locate-keys firstname.lastname@example.org gpg --refresh gpg --locate-keys email@example.com gpg --with-key-origin --list-sigs
Now consider the following sequence, again starting from an empty keyring:
gpg --locate-keys firstname.lastname@example.org gpg --locate-keys email@example.com gpg --refresh gpg --with-key-origin --list-sigs
In the second sequence, the dkg certificate is visibly certified by clint, but in the first sequence, it is not.
This is a consequence of the import-clean option being set by default for keyserver access, which "cleans" certifications which are already stored in the local keyring.
That is, import-clean does "import, merge, and then clean", rather than doing "clean incoming certificate before import and merge". While this is the documented behavior for someone who can follow all the threads in the manpages, it is surprising that "gpg --refresh" would have this effect.
This is a regression from 2.2.16, where import-clean was not enabled by default during keyserver access.