diff --git a/dirmngr/http.c b/dirmngr/http.c
index 90682fa46..bc62c820b 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -613,6 +613,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
     const char *errpos;
     int rc;
     strlist_t sl;
+    int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS);
+    int is_hkps_pool;
 
     rc = gnutls_certificate_allocate_credentials (&sess->certcred);
     if (rc < 0)
@@ -623,13 +625,14 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
         goto leave;
       }
 
+    is_hkps_pool = (intended_hostname
+                    && !ascii_strcasecmp (intended_hostname,
+                                          "hkps.pool.sks-keyservers.net"));
+
     /* If the user has not specified a CA list, and they are looking
      * for the hkps pool from sks-keyservers.net, then default to
      * Kristian's certificate authority:  */
-    if (!tls_ca_certlist
-        && intended_hostname
-        && !ascii_strcasecmp (intended_hostname,
-                              "hkps.pool.sks-keyservers.net"))
+    if (!tls_ca_certlist && is_hkps_pool)
       {
         char *pemname = make_filename_try (gnupg_datadir (),
                                            "sks-keyservers.netCA.pem", NULL);
@@ -662,10 +665,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
               log_info ("setting CA from file '%s' failed: %s\n",
                         sl->d, gnutls_strerror (rc));
           }
+        if (!tls_ca_certlist && !is_hkps_pool)
+          add_system_cas = 1;
       }
 
     /* Add system certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_SYS))
+    if (add_system_cas)
       {
 #if GNUTLS_VERSION_NUMBER >= 0x030014
         static int shown;
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 73afbc318..bc3072ce8 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for
 @var{file}.  This option may be given multiple times to add more
 root certificates.  Tilde expansion is supported.
 
+If no @code{hkp-cacert} directive is present, dirmngr will make a
+reasonable choice: if the keyserver in question is the special pool
+@code{hkps.pool.sks-keyservers.net}, it will use the bundled root
+certificate for that pool.  Otherwise, it will use the system CAs.
+
 @end table