krb5_dbe_def_search_enctype does not currently treat kvno 0 the same way as kvno -1. kvno -1 means "ignore the kvno", while kvno 0 means "search only in the highest kvno". (Confusingly, if you pass kvno, stype, and ktype all as -1, the code optimizes by setting kvno to 0 in order to look only at entries of highest kvno, without a comment explaining what it's doing.) It may be that we don't need both modes of operation. Offhand, I can't imagine a situation where you want to search for a particular enctype and/or salt type across all key versions. But we'd need to analyze all of the call sites to make sure of that.