It seems that your understanding is mostly correct. All this should be documented in the 1.3.1 admin guide for MIT Kerberos. I believe that Kerberos 4 will always use DNS to find KDCs (and never to find realm mappings) but it uses _kerberos-iv rather than _kerberos.