For RSA Keys

1. Generate the key file for KSK.

# dnssec-keyfromlabel -E pkcs11 -f KSK a- RSASHA256 -l "pkcs11:token=Bind;object=ksk" example.net 

Where the parameters

• -E Is for engine

• -l specifies the key label in pkcs11 URI format

• -f specifies the key flag

• -a is the algorithm

• example.net is name of zone

Key file generation for KSK Key

2. Generate the key file for ZSK.

# dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=Bind;object=zsk" example.net

Key file generation for the ZSK Key

Where the parameters

• -E Is for engine

• -l specifies the key label in pkcs11 URI format

• -a is the algorithm

• example.net is name of zone

3. Verify that you have two KSK and two ZSK key files available.

# ls -l K* 

List files