deSEC has really helped me out with the ability to have DDNS for various sub-domains on my domain. One key feature is that you can have authentication credentials restricted to a specific sub-domain which is far more secure that having a credential that can be used to make changes to an entire zone.
I put together a script to automate this use case. It creates the sub-domain if it doesn’t exist, creates a token for that sub-domain and then creates the three needed policies to restrict that token to that sub-domain. At the end it spits out the DDNS info for your updater. Just a bash script I run on my mac…