Oh come on. I am sure that you can sort the problem out with some sort of rule such as 'if case matters, use punycode for upper case'. It won't of course because people have been trying and failing to put account information into the DNS since the first DNS specs. The number of people who can configure DNS that way are maybe 5% of the total base. Big enterprises can't do it because the DNS is an infrastructure for describing hosts and they have other infrastructures for tracking people. Small enterprises can't do it because if you don't run your own DNS, you are left entering RRs through Web interfaces that only recently started supporting SRV. Let these folk get on with their experiment so that they can learn what others have learned before for themselves. The only way you could do that sort of thing with DNS records is if you were doing something like S/MIME and you had a LRA for the domain with its own root or intermediate cert and published an authenticator for that in the DNS. then you could put a link to your directory where account granular lookup can be performed in the DNS next to it. This fits S/MIME a lot better than OpenPGP because it is already hierarchical. Of course you can do the same thing with OpenPGP but the cost is that you are imposing the DNSSEC hierarchy on OpenPGP. This is not a solution, it is a distraction. But the sooner they get started on learning the problems themselves, the sooner we can get onto the next thing.