Dear SIP-experts and DNS-SRV gurus;
I have some questions to the deployers of SER/Kamailio and best current practice for multiple SIP-servers with SRV-records and authentication. This is not a question about Kamailio itself but rather experience with deployment of it in the field. The current usecase is: 1. Multiple SIP-servers are deployed for the same domain 2. The DNS is configured with SRV-records for load balancing, example: (lets call the domain "example.com") $ host -t SRV _sip._udp.example.com _sip._udp.example.com has SRV record 20 0 5080 alpha1.example.com. _sip._udp.example.com has SRV record 20 0 5080 alpha2.example.com. 3. when a SIP client registers, it resolves the domain using RFC3263 [1] and the first REGISTER request is sent to SIP-Server #1 4. SIP-server #1 replies with 401 containing the authentication challenge 5. The SIP Client adds the authentication header to the REGISTER request and re-sends it, but this time also using RFC 3263, and due to DNS rotation the request is sent to SIP-Server #2 6. Now, because the SIP-Servers are configured with _different_ secrets in the "auth" module [2], the REGISTER request fails with authentication error. Now, I know that it is common for SIP user-agents to send both requests to the same SIP-server instance. Baresip [3] is not doing that, it does a new RFC 3263 lookup for all requests (except e2e ACK/CANCEL). so here are my questions: - What is common practice in the field, to configure auth module with the same "secret" or different "secret" values? - Do you know if there is any reference to IETF documents about how this should be handled? RFC 3263 says that every request should be resolved, except: "The procedures here MUST be done exactly once per transaction, where transaction is as defined in [1]. That is, once a SIP server has successfully been contacted (success is defined below), all retransmissions of the SIP request and the ACK for non-2xx SIP responses to INVITE MUST be sent to the same host. Furthermore, a CANCEL for a particular SIP request MUST be sent to the same SIP server that the SIP request was delivered to." - What is common practice for SIP user-agents to do in this case? /alfred [1] https://tools.ietf.org/html/rfc3263#section-4.4 [2] http://www.kamailio.org/docs/modules/3.4.x/modules/auth.html#auth.secret [3] https://github.com/alfredh/baresip/issues/39 _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
