diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c
index c7fa9e447..03d2b1b79 100644
--- a/lib/gssapi/krb5/acquire_cred.c
+++ b/lib/gssapi/krb5/acquire_cred.c
@@ -399,7 +399,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
     HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
 
     if (desired_name != GSS_C_NO_NAME) {
-	ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
+	ret = _gsskrb5_canon_name(minor_status, context, NULL,
 				  desired_name, &handle->principal);
 	if (ret) {
 	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
diff --git a/lib/gssapi/krb5/canonicalize_name.c b/lib/gssapi/krb5/canonicalize_name.c
index 3aa74a943..a8450ba9e 100644
--- a/lib/gssapi/krb5/canonicalize_name.c
+++ b/lib/gssapi/krb5/canonicalize_name.c
@@ -48,7 +48,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_canonicalize_name (
 
     GSSAPI_KRB5_INIT (&context);
 
-    ret = _gsskrb5_canon_name(minor_status, context, 1, NULL, input_name, &name);
+    ret = _gsskrb5_canon_name(minor_status, context, NULL, input_name, &name);
     if (ret)
 	return ret;
 
diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h
index 6b9b03f34..4a4f445a7 100644
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -134,7 +134,4 @@ extern HEIMDAL_MUTEX gssapi_keytab_mutex;
 #define SC_LOCAL_SUBKEY	  0x08
 #define SC_REMOTE_SUBKEY  0x10
 
-/* type to signal that that dns canon maybe should be done */
-#define MAGIC_HOSTBASED_NAME_TYPE 4711
-
 #endif
diff --git a/lib/gssapi/krb5/import_name.c b/lib/gssapi/krb5/import_name.c
index d5bbbdc1d..fc4a41570 100644
--- a/lib/gssapi/krb5/import_name.c
+++ b/lib/gssapi/krb5/import_name.c
@@ -83,8 +83,8 @@ import_krb5_name (OM_uint32 *minor_status,
 
 OM_uint32
 _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
-		    int use_dns, krb5_const_principal sourcename,
-                    gss_const_name_t targetname, krb5_principal *out)
+		    krb5_const_principal sourcename,
+		    gss_const_name_t targetname, krb5_principal *out)
 {
     krb5_const_principal p = (krb5_const_principal)targetname;
     krb5_error_code ret;
@@ -93,15 +93,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
     *minor_status = 0;
 
     /* If its not a hostname */
-    if (krb5_principal_get_type(context, p) != MAGIC_HOSTBASED_NAME_TYPE) {
+    if (krb5_principal_get_type(context, p) != KRB5_NT_SRV_HST &&
+	krb5_principal_get_type(context, p) != KRB5_NT_SRV_HST_NEEDS_CANON) {
 	ret = krb5_copy_principal(context, p, out);
-    } else if (!use_dns) {
-	ret = krb5_copy_principal(context, p, out);
-	if (ret)
-	    goto out;
-	krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
-	if (sourcename)
-	    ret = krb5_principal_set_realm(context, *out, sourcename->realm);
     } else {
 	if (p->name.name_string.len == 0)
 	    return GSS_S_BAD_NAME;
@@ -117,7 +111,6 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
 				      out);
     }
 
- out:
     if (ret) {
 	*minor_status = ret;
 	return GSS_S_FAILURE;
@@ -161,7 +154,7 @@ import_hostbased_name (OM_uint32 *minor_status,
     else if (kerr)
 	return GSS_S_FAILURE;
 
-    krb5_principal_set_type(context, princ, MAGIC_HOSTBASED_NAME_TYPE);
+    krb5_principal_set_type(context, princ, KRB5_NT_SRV_HST_NEEDS_CANON);
     *output_name = (gss_name_t)princ;
 
     return 0;
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 69e51f910..edc9346d1 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -207,7 +207,6 @@ gsskrb5_get_creds(
 	krb5_ccache ccache,
 	gsskrb5_ctx ctx,
 	gss_const_name_t target_name,
-	int use_dns,
 	OM_uint32 time_req,
 	OM_uint32 * time_rec)
 {
@@ -225,8 +224,8 @@ gsskrb5_get_creds(
 	ctx->kcred = NULL;
     }
 
-    ret = _gsskrb5_canon_name(minor_status, context, use_dns,
-			      ctx->source, target_name, &ctx->target);
+    ret = _gsskrb5_canon_name(minor_status, context, ctx->source,
+			      target_name, &ctx->target);
     if (ret)
 	return ret;
 
@@ -393,12 +392,9 @@ init_auth
 {
     OM_uint32 ret = GSS_S_FAILURE;
     krb5_error_code kret;
-    krb5_data outbuf;
     krb5_data fwd_data;
     OM_uint32 lifetime_rec;
-    int allow_dns = 1;
 
-    krb5_data_zero(&outbuf);
     krb5_data_zero(&fwd_data);
 
     *minor_status = 0;
@@ -438,29 +434,8 @@ init_auth
 	krb5_set_default_in_tkt_etypes(context, enctypes);
     }
 
-    /* canon name if needed for client + target realm */
-    kret = krb5_cc_get_config(context, ctx->ccache, NULL,
-			      "realm-config", &outbuf);
-    if (kret == 0) {
-	/* XXX 2 is no server canon */
-	if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
-	    allow_dns = 0;
-	krb5_data_free(&outbuf);
-    }
-
-    /*
-     * First we try w/o dns, hope that the KDC have register alias
-     * (and referrals if cross realm) for this principal. If that
-     * fails and if we are allowed to using this realm try again with
-     * DNS canonicalizion.
-     */
     ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
-			    ctx, name, 0, time_req,
-			    time_rec);
-    if (ret && allow_dns)
-	ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
-				ctx, name, 1, time_req,
-				time_rec);
+			    ctx, name, time_req, time_rec);
     if (ret)
 	goto failure;
 
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index bdc9a499d..96ac03c42 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -1131,7 +1131,8 @@ _krb5_get_cred_kdc_any(krb5_context context,
 				second_ticket,
 				out_creds);
 
-    if (ret == 0 || flags.b.canonicalize)
+    /* "Empty realm" -> only do referrals */
+    if (ret == 0 || strcmp(in_creds->server->realm, "") == 0)
 	return ret;
 
     /* Try capaths */
@@ -1484,9 +1485,9 @@ next_rule:
     if(options & KRB5_GC_CACHED)
 	goto next_rule;
 
-    if(rule_opts & KRB5_NCRO_USE_REFERRALS)
+    if (try_creds->server->name.name_type == KRB5_NT_SRV_HST)
 	flags.b.canonicalize = 1;
-    else if(rule_opts & KRB5_NCRO_NO_REFERRALS)
+    if (rule_opts & KRB5_NCRO_NO_REFERRALS)
 	flags.b.canonicalize = 0;
     else
 	flags.b.canonicalize = (options & KRB5_GC_CANONICALIZE) ? 1 : 0;
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index e8cc92fc7..d12e69b6a 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -1415,10 +1415,6 @@ rule_parse_token(krb5_context context, krb5_name_canon_rule rule,
 	rule->options |= KRB5_NCRO_GC_ONLY;
     } else if (strcmp(tok, "no_referrals") == 0) {
 	rule->options |= KRB5_NCRO_NO_REFERRALS;
-	rule->options &= ~KRB5_NCRO_USE_REFERRALS;
-    } else if (strcmp(tok, "use_referrals") == 0) {
-	rule->options |= KRB5_NCRO_USE_REFERRALS;
-	rule->options &= ~KRB5_NCRO_NO_REFERRALS;
     /* Rule ancilliary data: */
     } else if (strncmp(tok, "domain=", strlen("domain=")) == 0) {
 	free(rule->domain);