From the kerberos list discussion, the platform this behavior was observed on was Solaris 10 / x86. The obvious possibility is that the resolver is returning -1 when the response is too big for the buffer, instead of the size of the response as we expect.