Actually, if old keys aren't retained, the KDC cannot renew application service tickets issued before the service keys changed. Which may be desirable, if the reason for change is a compromised key, or maybe not, if the reason for change is a policy demanding on a key change every so often. Ken