I also think you have higher trust in dnssec-validated keys than a key that you get from a key server without a trust path to some key you trust.
Not really. The only credible assertion a self-signature like DNSSEC can make is "this is me." But in this case it's "this is my user" which is not the same thing. Unless you know something about the relationship between the domain and its mail users, that might be anywhere from completely true to completely false.
If it's false, it doesn't have to be false for malicious reasons. If I ran a webmail service, call it GooHoo, I'd publish keys for all my users. Why not? The opportunistic encryption keeps random strangers from snooping on incoming mail, webmail pretty much requires that the mail service handle the encryption (there are plugins, but I've never found one that was at all usable), and I can continue to enhance the experience of my webmail users by displaying relevant ads from our trusted marketing partners.
Also, it seems to me that most of the complaints about key servers could be fixed by improving the key servers, without having to change the existing pgp clients that use them.
R's, John