Just want to weigh in here to say this would be incredibly useful given the shift to the new keyserver model. See T4604 for more context.

Aha, thank you. Sorry I saw the original post about the flood attacks (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) which said to change your keyserver and I did, but I hadn't realized there were such significant differences.

I know the keyservers have been under attack, I'm using 'keys.openpgp.org' which is supposed to be more resilient to these, as I understand it?

Wow. I didn't even know that was a thing. What's weirder is --keyserver doesn't
override it. Shouldn't the user be able to override it somehow?

Yes, I understand that keyids are not unique. However, when I ask for the
fingerprint of a key, I likely mean the primary key, not subkeys. People use
keyids (hopefully long, often short), or fingerprints as an identity... and they
always mean of their primary key, not their subkeys. There should be an option
to list only primary keys that match.

::sigh:: OK, this was my software that's wrapping gpg. It was getting several
[GNUPG:] KEYEXPIRED responses and reporting the error before noticing that the
encryption actually succeeded. On other keys this wasn't a problem... but in
this cause the behavior is consistent (--always-trust was in fact on).

It's worth noting that --always-trust enables this to work... however,
--always-trust isn't required on other keys that don't seem to be built like this.