dnssec-dsfromkey — DNSSEC DS RR generation tool
dnssec-dsfromkey  [-v ] [level-1] [-2] [-a ] {keyfile}alg
dnssec-dsfromkey  {-s} [-v ] [level-1] [-2] [-a ] [alg-c ] [class-d ] {dnsname}dir
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).
Use SHA-256 as the digest algorithm.
algorithm
            Select the digest algorithm. The value of
            algorithm must be one of SHA-1 (SHA1) or
            SHA-256 (SHA256). These values are case insensitive.
          
levelSets the debugging level.
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
classSpecifies the DNS class (default is IN), useful only in the keyset mode.
directory
            Look for keyset files in
            directory as the directory, ignored when
            not in the keyset mode.
          
      To build the SHA-256 DS RR from the
      Kexample.com.+003+26160
      keyfile name, the following command would be issued:
    
dnssec-dsfromkey -2 Kexample.com.+003+26160
    
The command would print something like:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
    
      The keyfile can be designed by the key identification
      Knnnn.+aaa+iiiii or the full file name
      Knnnn.+aaa+iiiii.key as generated by
      dnssec-keygen(8).
    
      The keyset file name is built from the directory,
      the string keyset- and the
      dnsname.