Unfortunately the only way to sign a key for a domain with keys.pub currently is via uploading a file to a server. This does not verify a domain, this simply verifies that a domain is linked to a server, in which case the server can be changed, swapped, etc. This is a security vulnerability, and ought to be corrected. Keys need to be signed in coordination with the DNS records themselves, so that servers are not involved.

Should I change the "Link to Domain (https)" option to "Link to Website (https)", and then add the DNS option: "Link to Domain (dns)"?

I am sort of following what Keybase had as options for proofs.

Should I change the "Link to Domain (https)" option to "Link to Website (https)", and then add the DNS option: "Link to Domain (dns)"?

This sounds awesome! Maybe the tool should only accept DNSSEC domains?

@prusnak IIRC only some TLDs -- beit gTLD or ccTLD -- support DNSSEC so enforcing DNSSEC only would render certain verifications impossible.