Dear SIP-experts and DNS-SRV gurus;
I have some questions to the deployers of SER/Kamailio and best current practice for multiple SIP-servers with SRV-records and authentication. This is not a question about Kamailio itself but rather experience with deployment of it in the field.
The current usecase is:
1. Multiple SIP-servers are deployed for the same domain
2. The DNS is configured with SRV-records for load balancing, example: (lets call the domain "example.com")
$ host -t SRV _sip._udp.example.com _sip._udp.example.com has SRV record 20 0 5080 alpha1.example.com. _sip._udp.example.com has SRV record 20 0 5080 alpha2.example.com.
3. when a SIP client registers, it resolves the domain using RFC3263 [1] and the first REGISTER request is sent to SIP-Server #1
4. SIP-server #1 replies with 401 containing the authentication challenge
5. The SIP Client adds the authentication header to the REGISTER request and re-sends it, but this time also using RFC 3263, and due to DNS rotation the request is sent to SIP-Server #2
6. Now, because the SIP-Servers are configured with _different_ secrets in the "auth" module [2], the REGISTER request fails with authentication error.
Now, I know that it is common for SIP user-agents to send both requests to the same SIP-server instance. Baresip [3] is not doing that, it does a new RFC 3263 lookup for all requests (except e2e ACK/CANCEL).
so here are my questions:
- What is common practice in the field, to configure auth module with the same "secret" or different "secret" values?
- Do you know if there is any reference to IETF documents about how this should be handled? RFC 3263 says that every request should be resolved, except:
"The procedures here MUST be done exactly once per transaction, where transaction is as defined in [1]. That is, once a SIP server has successfully been contacted (success is defined below), all retransmissions of the SIP request and the ACK for non-2xx SIP responses to INVITE MUST be sent to the same host. Furthermore, a CANCEL for a particular SIP request MUST be sent to the same SIP server that the SIP request was delivered to."
- What is common practice for SIP user-agents to do in this case?
/alfred
[1] https://tools.ietf.org/html/rfc3263#section-4.4
[2] http://www.kamailio.org/docs/modules/3.4.x/modules/auth.html#auth.secret