DynDNS works fine. CA/B Baseline Requirements (which all trusted CAs have to follow) forbid issuance of certificates that include internal names. Whether you actually bought the domain or just have control over a subdomain (as with DynDNS) doesn't matter.
As long as the domain is on the Public Suffix List (which should be best practice for DynDNS providers), you don't even have to worry about rate limits.
AFAIK, certificates for non-reserved IPs would be allowed. Let's Encrypt doesn't support that, however. I imagine proof of ownership would be harder to demonstrate for an IP address (compared to a DNS name).
> As long as the domain is on the Public Suffix List
Oh, cool, I did not know that this project included stuff like DynDNS! I thought a normal, paid domain was the only way to go (other than dot tk).
> AFAIK, certificates for non-reserved IPs would be allowed.
Many IP addresses are dynamic though, I know of no CA where you can register an IP address and I'd imagine it being for that reason (and it might be CGNAT and perhaps some other reasons). You can of course self-sign one with an IP address, but I don't expect any CA to sign those.
As long as the domain is on the Public Suffix List (which should be best practice for DynDNS providers), you don't even have to worry about rate limits.
AFAIK, certificates for non-reserved IPs would be allowed. Let's Encrypt doesn't support that, however. I imagine proof of ownership would be harder to demonstrate for an IP address (compared to a DNS name).