I wrote a paper for the MIT Kerberos Consortium (kerberos.org) on integrating Kerberos into applications that goes through the DNS issues in reasonable detail. I recommend looking at that. It is somewhat developer rather than administrator focused, but will give you a good understanding. Note that ssh has some explicit options to manipulate what it does about DNS, but most other Kerberos applications do not.