For all cases where a kdc is set we additionally set
dns_lookup_kdc = fasle
Motivation here is to avoid these pointless DNS lookups
188.8.131.52 queried 1597 times name _kerberos-master._tcp.CERN.CH
184.108.40.206 queried 1594 times name _kerberos-master._udp.CERN.CH
220.127.116.11 queried 1594 times name _kerberos.CERN.CH
The lookup of kerberos-master happens when the user types in wrong password. krb5-libs retries with the master node to just in case replication has not happened yet. Since we only have "one" cerndc.cern.ch this does not make sense but we should at least avoid these lookups.
These lookups are not cached for long (if at all ) since they are non hits.