Q - I am just wondering how Kerberos handles the following -

If I have 2 KDC entries in my krb5.conf -

a.b.com - points to 3 KDCs (i.e. a.b.com is a DNS name pointing to 3 IP
addresses for 3 different KDCs)
b.b.com - also points to 3 KDCs

If a request to one of the KDCs in a.b.com fails, does Kerberos (and I
really mean the MIT implementation here) try the next possible KDCS in
a.b.com or fail down to b.b.com straightaway (without trying the other
two KDCs in a.b.com)?