For People using only ULAs in their local infrastructure and NPTv6 for example in their OPNSense to prevent dynamic prefix updates messing with local firewall rules etc. it could be very interesting if ddclient could centrally just update the prefix of IPv6 entries.

One possible (probably inefficient) flow:

1. GET specified AAAA entries
2. only replace prefix of received entries
3. POST back update to DNS provider

It would allow centrally managing DNS API credentials and still keep the upside of unique addresses per service.

Any thoughts?

I don't think I fully understand the use case. Why wouldn't usev6=webv6 work here?

Maybe I missed a setting, but the thing with IPv6 is, that it terminates at the application (for example your web server). Therefore if I only want to configure my API key for ddclient only at my OPNSense router, I don't know to what exact IP a domain entry is matched. I only know the IPv6 prefix and in combination with NPTv6, it is the only part of the IPv6 public IP that changes.
With IPv6 we aren't NATting at the router level anymore.

If I missed a setting, that allows handling something like this, then I am sorry for the issue.

I think I understand what you're saying. Let me rephrase to make sure I understand: You want to run ddclient only on your OPNSense router, and you want it to update AAAA DNS records for multiple hosts behind your OPNSense router. The OPNSense router doesn't know the full public IPv6 addresses of the hosts behind the router, only their (common) public prefix. You want ddclient to:

1. fetch the current AAAA record for each host,
2. see if the prefix in the record matches the current public prefix,
3. if not, update the record so that:
   • the prefix in the AAAA record matches the current public prefix, and
   • the suffix in the record is unchanged

Is that correct?

If so, can you use usev6=cmdv6 and write a little script that queries DNS and replaces the prefix?

That is exactly my goal.

I got to say im still kind of new to OPNSense. I'd like to have everything Network related on a dedicated OPNSense box, so that if I take down any hypervisor in my lab, it doesn't take down any others, as well as having to set up ddclient on each vm. I also don't want to have an api key in any vm, that might get compromised.

As far as I can tell, the opnsense plugin only supports web and interface use.
If I missed an option box in the GUI, feel free to correct me.
As far as I understand, the OPNSense plugin is the upstream ddclient, but does not make the complete config available.

I don't know if its a bad approach I'm describing here, but I think that especially for homelabbers, that want to manage their IPv6 like they are used to with IPv4 (internal static and external dynamic), this could be a usecase.

I see, that the ddclient conf might be acessible via cli.
Sadly I currently don't have the time to try out the cmd option.
I'll hopefully get around to it in about 4 weeks.
If you have another idea in the mean time, I would appreciate it very much.