I created a project page describing key version limitations in more detail: http://k5wiki.kerberos.org/wiki/Projects/Larger_key_versions In addition to the kadmin concern, there are also 16-bit limitations on the KDC side. The proposed changes could risk making our behavior worse at 16-bit wraparound than it is currently. Perhaps this isn't worth worrying about; if you rotate a key once per day, you won't hit version 32767 until almost 90 years have elapsed. Regardless, some possible approaches are detailed there.