pfSense

Our RFC2136-style DDNS depends on external determination of the real IP address (usu. DHCP-assigned by the ISP). Such dynamically-assigned addressing is pervasive, but the design is half-baked: there is no specification of any means by which devices inside the boundary created by the client device (e.g. cable router) may officially, authentically, and privately discover their effective external IP from the entity which has assigned it.

So presently this determination is made by querying a hardcoded URL. (To reiterate: this isn't about where the DDNS name-to-address mapping is registered, this is about how pfSense discovers a dynamically-assigned external IP address.)

While this might be tolerable for personal or casual use, we can easily do much better.

There are two improvements needed:

(1) Allow the URL used for external IP discovery to be user-configurable, on a per-mapping basis,

(2) Support "https://" URLs in this configurable item.

The second should essentially 'just work' once the first is done. However, help text and other documentation needs to reference appropriate configuration of, e.g., external CA certificates in a fashion similar to that of certificate-based authentication of IPsec endpoints, etc.

(An ancilliary topic is: to what should the default configurable be set?)