For ECC Keys

1. Generate the key file for KSK.

# dnssec-keyfromlabel -E pkcs11 -f KSK a- ECDSAP256SHA256 -l "pkcs11:token=Bind9;object=ksk" exampleecc.net 

Where the parameters

• -E Is for engine

• -l specifies the key label in pkcs11 URI format

• -f specifies the key flag  -a is the algorithm example.net is name of zone

Key file generation for the KSK Key

2. Generate the key file for ZSK.

# dnssec-keyfromlabel -E pkcs11 -a ECDSAP256SHA256 -l "pkcs11:token=Bind9;object=zsk" exampleecc.net 

Key file generation for the ZSK Key

Where the parameters

• -E Is for engine

• -l specifies the key label in pkcs11 URI format

• -f specifies the key flag

• -a is the algorithm

example.net is name of zone

3. Verify that you have two KSK and two ZSK key files available.

# ls -l K* 

List files