@a0b872c9 It uses a secore DNS to get the public key. The explanation says it needs a secure DNS provider, but doesn't go into any detail about where to find one.
It looks like it could pick one automatically, or you can pick your own on the "increased security" setting.
But that means all trust has to be with this one provider. 
If the provider is good, it is beneficial.
But if the provider is malicious or compromised, it could be disastrous. 

 @ee7a05b3 sure, but you can split the two aspects, so that's ok