# checker-sip SIP / VoIP server checker for [happyDomain](https://www.happydomain.org/). Probes a domain's SIP deployment end-to-end from its DNS records: - **RFC 3263 resolution.** NAPTR → SRV (`_sip._udp`, `_sip._tcp`, `_sips._tcp`) → A/AAAA. - **Reachability** on every resolved `target:port` over UDP, TCP and TLS. - **SIP `OPTIONS` ping.** Raw RFC 3261 request; parses status line, `Server` / `User-Agent`, `Allow` methods, round-trip time. - **Discovery entries.** Every `_sips._tcp` target is published as a `tls.endpoint.v1` `DiscoveryEntry` (via [`checker-tls/contract`](../checker-tls/README.md)) so the TLS checker can verify chain, SAN, expiry and cipher posture without re-doing the SRV lookup. TLS issues reported by the TLS checker are folded back into this report via `GetRelated("tls_probes")`. Attaches to the `abstract.SIP` service (SRV records for `_sip._udp`, `_sip._tcp`, `_sips._tcp`). The happyDomain core registers the abstract service automatically; no extra configuration is required. ## Usage ### Standalone HTTP server ```bash make ./checker-sip -listen :8080 ``` Exposes the standard happyDomain external checker endpoints (`/health`, `/definition`, `/collect`, `/evaluate`, `/report`). ### Docker ```bash make docker docker run -p 8080:8080 happydomain/checker-sip ``` ### happyDomain plugin ```bash make plugin # produces checker-sip.so, loadable as a Go plugin by happyDomain. ``` ## Options | Scope | Id | Description | | ----- | ----------- | ---------------------------------------------------------------------- | | Run | `domain` | SIP domain to test (auto-filled from the service domain). | | Run | `timeout` | Per-endpoint probe timeout in seconds (default: `5`). | | Admin | `probeUDP` | Probe `_sip._udp` (default: `true`). Disable if UDP is firewalled. | | Admin | `probeTCP` | Probe `_sip._tcp` (default: `true`). | | Admin | `probeTLS` | Probe `_sips._tcp` (default: `true`). | ## Tests performed 1. NAPTR lookup (`SIP+D2U`, `SIP+D2T`, `SIPS+D2T`). 2. SRV lookup for the three transports. 3. Fallback to `:5060` / `:5061` when no SRV is published, with a visible info marker in the report. 4. A/AAAA resolution of every SRV target. 5. TCP connect / UDP send / TLS handshake (with `InsecureSkipVerify: true`, cert posture is the TLS checker's job). 6. SIP `OPTIONS` request with status, headers and `Allow` parsed. ## Rules | Code | Description | Severity | |------------------------------|---------------------------------------------------------------------------------------------------|---------------------| | `sip.srv_present` | Verifies that `_sip._udp` / `_sip._tcp` / `_sips._tcp` SRV records are published and resolvable. | CRITICAL | | `sip.transport_diversity` | Verifies that modern SIP transports (TCP, and ideally TLS) are published alongside legacy UDP. | WARNING | | `sip.srv_targets_resolvable` | Verifies that every SRV target resolves to at least one A or AAAA address. | CRITICAL | | `sip.endpoint_reachable` | Verifies that every discovered SIP endpoint accepts a connection on its transport. | CRITICAL | | `sip.options_response` | Verifies that every reachable SIP endpoint answers OPTIONS with a 2xx response. | CRITICAL | | `sip.options_capabilities` | Reviews the Allow header advertised in OPTIONS replies (INVITE support, Allow presence). | WARNING | | `sip.ipv6_coverage` | Verifies at least one SIP endpoint is reachable over IPv6. | INFO | | `sip.tls_quality` | Folds the downstream TLS checker findings (chain, hostname match, expiry) onto the SIP service. | CRITICAL | ## License Licensed under the **MIT License** (see `LICENSE`).