[SR-Users] What is the best SIP trunk authentication strategy

Been struggling with this for awhile now. So far I am finding it rather difficult to come up with way to authenticate SIP trunks taking into account all possible scenarios. My setup is Kamailio combined with Asterisk realtime. Everything is in a MySQL database. All authentication is done by Kamailio. Kamailio handles SIP extension (user) authentication quite well but seems poorly equipped for SIP trunk (peer) authentication. The biggest problem I have run into so far is that SIP trunks typically use DNS names and Kamailio is not at all designed to used DNS names. Also SIP trunks do not use named "realms" whereas that is a key part of Kamailio authentication. For IP authentication about the only solution I have found is to DNS lookup and save all returned IP addresses in the ip_addr mysql table. Then I do: #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address() && $au == "") { # source IP allowed return; } I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication. SIP trunk user/pass authentication is the one I am now struggling with. This standard Kamailio authentication section does not work for SIP trunks. if (is_method("REGISTER|INVITE") || from_uri==myself) { # authenticate requests #if (!auth_check("$fd", "subscriber", "1")) { if (!auth_check("$fd", "subscriber", "0")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); This is a multidomain setup and therefore: modparam("auth_db", "use_domain", 1) So the authentication section will try authenticate the realm of the trunk which will always be an IP address. However the SIP trunk realm will usually be saved in the "subscriber" database as the FQDN. There is no mechanism for auth_check() to directly or indirectly check against FQDN. The other problem is that even if I used the ip_addr table somehow it will only try use the user/pass of the first instance of a matching IP address. For SIP trunks it is possible I could have multiple subaccounts and therefore multiple instances of the same IP with different user/pass. So auth_check() is not designed for being used this way as far as I can tell. Seems to me like there should almost be a special kamailio module just for SIP trunks. I had a look a carrierroute module it's not designed for this either.