Environment has a Kerberos Realm trust configured on a domain called XYZ. It is configured in both directions. It was created years ago and thanks to IT turnover no one can tell me why it's there. No one wants to delete it in case it might break something. We don't think any UNIX apps use it but MS does not provide a means to verify a realm trust like you can with an AD domain-to-domain trust. No users on the domain have altSecurityIdentities configured. The command ksetup /dumpstate says no user mappings are defined. There is no XYZ zone defined in DNS that I can find. The HKLM key LSA\Kerberos\Domains on the DC is empty. Kerberos realm trusts don't seem to use any unique ports to try to sniff for traffic. There don't seem to be any unique error or alert IDs to look for in the event log.
What else is there to check? Any ideas on how you might definitively show that this trust is not in use?