I think there is a minor ambiguity in the naming draft:
Consequently, unless otherwise
specified, a well-known Kerberos realm name MUST NOT be present in
Who enforces this requirement? That's an important question because
it controls who needs to support the specific well known realm in
order for it to be used.
In general using passive voice for such requirements is a really bad idea.
I'd recommend something like: Unless otherwise specified, parties
checking the transited realm path MUST reject a transited realm path
that includes a well known realm. In the case of KDCs checking the transited
realm path, this means that the transited policy checked flag MUST NOT be set
in the resulting ticket.
In particular, that means that a KDC that is not checking transited
realm paths is not encouraged to reject a request simply because the
realm in an unknown well known realm.
IETF mailing list