“No match for domain in DNS SRV results” – Federation to additional SIP Domain

We have to be extra careful when we deal with additional SIP domains and we want these domains to be able to communicate to federated partners.

Most of the deployments only have DNS records for the main SIP domain, and because of this the federation for the additional domains won’t work.

For example, if we have sip.contoso.com and the additional SIP sip.fabrikam.com, the external DNS Records should look like this:

FQDN Type Port IP/Destination
sip.contoso.com A N/A Access Edge Public IP
_sip._tls.contoso.com SRV 443 sip.contoso.com
_sipfederationtls._tcp.contoso.com SRV 5061 sip.contoso.com
sip.fabrikam.com A N/A Access Edge Public IP
_sip._tls.fabrikam.com SRV 443 sip.fabrikam.com

Now, if we want federation with the company Adatum, which uses the sip domain sip.adatum.com, the process should go like this:

If the user carlos@adatum.com tries to contact the user marcos@contoso.com, everything will work fine. But if the user carlos@adatum.com tries to contact the user andre@fabrikam.com, then he receives a timeout error (504) message.

This happens because Lync will not be able to contact the additional SIP domain fabrikam.com, as the DNS record needed for federation discover doesn’t exist.

Looking in the carlos@adatum.com user logs, we will find something like this:

07/03/2014|13:37:34.602 F38:1914 INFO :: Data Received – 192.168.0.1:443 (To Local Address: 192.168.0.2:63897) 809 bytes:
07/03/2014|13:37:34.602 F38:1914 INFO :: SIP/2.0 504 Server time-out
ms-user-logon-data: RemoteUser
Authentication-Info: TLS-DSK qop=”auth”, opaque=”E2D9A7B3″, srand=”382B799B”, snum=”232″, rspauth=”4de6d6cccdae25093cc302def1dd49ea65ee2e73″, targetname=”edge.adatum.com”, realm=”SIP Communications Service”, version=4
From: “Carlos”<sip:carlos@adatum.com>;tag=04b0588f49;epid=5711563404
To: <sip:andre@fabrikam.com>;tag=92B425936783DF691CBA0668BE1877F4
Call-ID: 2a5b3452dd3e4fd8afbd82deae80283c
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 192.168.0.2:63897;received=10.7.122.7;ms-received-port=38596;ms-received-cid=26228E00
ms-diagnostics: 1009;reason=”No match for domain in DNS SRV results“;domain=”fabrikam.com”;fqdn1=”sip.adatum.com”;source=”sip.adatum.com
Server: RTC/4.0
Content-Length: 0

As we can see, the error is explicit: No match for domain in DNS SRV results.

To solve this issue, we need to create SRV records on the external DNS for every additional SIP domain, and not just one register for the main SIP domain.

So, to solve the above issue, we need to create the _sipfederationtls._tcp.fabrikam.com SRV record. The following list contains all external DNS Records:

FQDN Type Port IP/Destination
sip.contoso.com A N/A Access Edge Public IP
_sip._tls.contoso.com SRV 443 sip.contoso.com
_sipfederationtls._tcp.contoso.com SRV 5061 sip.contoso.com
sip.fabrikam.com A N/A Access Edge Public IP
_sip._tls.fabrikam.com SRV 443 sip.fabrikam.com
_sipfederationtls._tcp.fabrikam.com SRV 5061 sip.fabrikam.com

After creating that DNS record, the federation for the additional SIP domain will start working correctly.

Don’t forget to add all the sip.<additional SIP domains> to the Edge external certificate.

Also remember to add the sip.<additional SIP domains> DNS Records to the external DNS.

Even though this is not the goal of this article, we would like to remember that it is also necessary to have entries on external DNS for each additional SIP domain, so external users can be able to connect without having issues with Discovery.