I tend to agree with the change you propose. However, note that the DES keys are harmless with allow_weak_crypto set to false. They won't be used. The advantage of the current configuration is that if you discover you need DES, you can turn it on without rekeying your realm. That said, you don't need DES unless you're using OpenAFS, and at this point I think it's safe to say that OpenAFS's security isn't secure. So, I would tend to agree with your proposed change, but wanted to get it into the bug log that I think the current configuration's only harm is extra space in your database.
--Sam
