rekeying krbtgt

Hello,

we are trying to rekey old principals and get rid of the old `des-*`
enctypes, possibly without any service downtime. So far we've been able
to come up with rekeying procedure for service principals using
ktutils+kadmin (https://github.com/bodik/rekey/blob/master/rekey.py#L415)

Now I'm little bit wondering how to rollover the krbtgt principal, I've
found `cpw --keepold` functionality which nicely adds a new keys
(kvno+1) for existing principal with requested keytypes ([kadmin]
default_keys), but i cannot find a way how to selectively delete the old
key by kvno...

any advice would be very apprecitated

Best regards
Radoslav Bodo