MIT Kerberos 1.18 added support for dns_canonicalize_hostname = fallback, which initially acts like dns_canonicalize_hostname = false, then retries the request with a canonicalized hostname if it fails due to an unknown service principal. (See https://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html#service-principal-canonicalization)

only parses this as a boolean, which fails when it encounters this value (e.g. in the default krb5.conf for Fedora.)