Negative caching of unknown principals

[Nico Williams]

On Fri, Aug 01, 2014 at 04:46:27PM -0500, Nico Williams wrote:
> IMO a negative cache belongs in the ccache, with some TTL, and with
> kvno(1) always (or optionally) ignoring NAKs.

It'd be nice if the KDC could advertise a TTL for this.

Also, ideally such ccache entries should be like cc config entries, and
they should have a fixed-sized timestamp that can be overwritten to
immediately expire or refresh it as desired without having to enlarge
the ccache.