Autodetection of IP address for nsupdate of A record

[/dev/rob0]

Seven long years ago on this very mailing list I asked for help. I 
got an excellent reply from none other than Paul Vixie.
    https://lists.isc.org/pipermail/bind-users/2004-May/050232.html
I was a bit overwhelmed at the time, and didn't quite grasp the 
niceties of nsupdate and RFC 2136, but in seven years, things begin 
to sink in. :) (Belated thanks, Paul, if as I suspect, you're still 
here.)

I did go ahead and make my dynamic subzone back then, but I didn't 
implement the proper nsupdate and key interface that I should have. 
Seems so obvious now: user generates a SIG(0) key and sends me the 
.key part (or, I generate the key and send her the .private part); 
I'll nsupdate "update add <that-name>.my.dynamic.zone. $TTL KEY 
<keydata>" with my master key, and then the user can nsupdate and
add/change records with a simple script.

  update-policy {
    grant my.dynamic.zone.key subdomain my.dynamic.zone ANY;
    grant * self * A TXT;
  };

Tested and working. :) (BTW the ARM could use some examples under 
Bv9ARM.ch06.html#dynamic_update_policies , I had to Google to find 
the "grant * self *" line.)

What I implemented back in '04 works pretty well for non-DNS-savvy 
users; it's a simple Web form that does password authentication. If 
username and password match, it runs a little shell script which 
nsupdates the zone with my master (TSIG) key. The Web form is 
wget(1)-able or can be used interactively.

With httpd and CGI, it's easy to get the connecting client's IP 
address. So my Web form passes that to the shell script, and that 
value is passed to nsupdate for the A record.

Now I want to do it right, but I don't see a way for nsupdate to do 
what httpd does: autodetection of client IP address for nsupdate of 
its A record.

I can script something on the client end to get the IP address, but 
if possible I'd prefer autodetection, which would be OS- and 
shell-agnostic. Is that possible?

A different matter, but slightly related: I want to use some of the 
SIG(0) keys for access control. Bv9ARM.ch04.html#id2571654 (the 
section entitled "SIG(0)") says this is possible, but I am not 
understanding how.

"When a SIG(0) signed message is received, it will only be verified 
if the key is known and trusted by the server; the server will not 
attempt to locate and/or validate the key."

How do you tell the server to know and trust a SIG(0) key? Does the 
fact that the server is authoritative for my.dynamic.zone mean that 
having a KEY RR at keytest.my.dynamic.zone is known? No, that sounds 
more like "locat[ing] and/or validat[ing] the key."

I suppose the server only needs the public key (.key) part, but I 
failed to find any named.conf(5) examples of a SIG(0) key for access.

And continuing on to the next slightly related matter: the SIG(0) 
section of Bv9ARM.ch04.html goes on to say:

"The only tool shipped with BIND 9 that generates SIG(0) signed 
messages is nsupdate."

So if I wanted my home server to be able to nspdate with a SIG(0) 
key, that works, but I can't have my named use that key to AXFR or 
IXFR my zones?
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header