dnssec-keyfromlabel — DNSSEC key generation tool
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c ] [class-f ] [flag-k] [-n ] [nametype-p ] [protocol-t ] [type-v ] {name}level
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
algorithm
	    Selects the cryptographic algorithm.  The value of
	    algorithm must be one of RSAMD5,
 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
 	    RSASHA512 or DH (Diffie Hellman).
	    These values are case insensitive.
	  
            If no algorithm is specified, then RSASHA1 will be used by
            default, unless the -3 option is specified,
            in which case NSEC3RSASHA1 will be used instead.  (If
            -3 is used and an algorithm is specified,
            that algorithm will be checked for compatibility with NSEC3.)
          
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
Note 2: DH automatically sets the -k flag.
labelSpecifies the label of keys in the crypto hardware (PKCS#11 device).
nametype
            Specifies the owner type of the key.  The value of
            nametype must either be ZONE (for a DNSSEC
            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
            a host (KEY)),
            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
            These values are
            case insensitive.
          
classIndicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
flagSet the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
Prints a short summary of the options and arguments to dnssec-keygen.
Generate KEY records rather than DNSKEY records.
protocolSets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
type
            Indicates the use of the key.  type must be
            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
            is AUTHCONF.  AUTH refers to the ability to authenticate
            data, and CONF the ability to encrypt data.
          
levelSets the debugging level.
      When dnssec-keyfromlabel completes
      successfully,
      it prints a string of the form Knnnn.+aaa+iiiii
      to the standard output.  This is an identification string for
      the key files it has generated.
    
nnnn is the key name.
        
aaa is the numeric representation
          of the
          algorithm.
        
iiiii is the key identifier (or
          footprint).
        
dnssec-keyfromlabel 
      creates two files, with names based
      on the printed string.  Knnnn.+aaa+iiiii.key
      contains the public key, and
      Knnnn.+aaa+iiiii.private contains the
      private
      key.
    
      The .key file contains a DNS KEY record
      that
      can be inserted into a zone file (directly or with a $INCLUDE
      statement).
    
      The .private file contains algorithm
      specific
      fields.  For obvious security reasons, this file does not have
      general read permission.