I do not have anything against being implemented as per specs, with an option (a new flag) to auth functions (likely it needs to be done in several modules that do digest-auth with various backends). I would also make sense to see what the specs say about an UA to reuse a nonce, if it something recommended or just some UAs do it for convenience. When the nonce is returned first time, unlikely that it will expire till the first usage, expiration happen when the UA uses the nonce from previous registration, that happened probably minutes ago. Is this something covered by specs?
Anyhow, setting this option in the default config file is something I don't consider really good from security point of view. Hitting the database can be a big performance impact. Adding additional rules to overcome the potential DoS exposure, such as fail2ban, of course are good, but it also does not belong to the default config file. There are many options that the auth modules have, including one-time-nonce, different auth qop, etc. I think all of these can be added to the advanced config, now located in misc/examples/pkg/kamailio-oob.cfg.
I prefer to keep kamailio.cfg as a complete-enough but still basic starting point to build the config file. It will be more negative feedback if the default config has poor performances and exposes to more security risks than someone reading the docs and enabling various auth options to tune it for specific needs.
Actually, so far nobody complained about lack of stale=true, I have seen some UAs that reused nonce between registrations and typically they don't ask for a new password if they reused the nonce, only when they got a fresh one and the auth failed... but could be specific implementation details, specs should be checked about the reuse of nonce to see what behaviour should be there.
Cheers,
Daniel