When is "NSEC3", optionally specify the NSEC3 "OptOut" Flag. Default is no OptOut. - When is "NSEC3", optionally specify ...

      -- When  is "NSEC3", optionally specify the NSEC3
                     "OptOut" Flag. Default is no OptOut.
       -- When  is "NSEC3", optionally specify the number
                     of additional iterations to use when generating hashed
                     node owner names.
  
                  -- When  is "NSEC3", optionally specify length, in
                     bytes, of automatically generated salt for hashing node
                     owner names. The default is 8. To specify salt explicitly,
                     set  to 0 and set .
   -- If  is 0, specify the NSEC3 salt as
                     the text representation of hexadecimal nibbles. Use "-"
                     for empty (NULL) salt.

  /AddKey         -- a key specified as "/Addkey [] "
                     will be added to the zone file, but will not be used 
                     to sign any records.
  /SignKey        -- a key specified as "/SignKey [] 
                     [/ValidFrom ] [/ValidTo ] []
                     " will be added to the zone file and used to
                     sign records.
  Multiple /AddKey and /SignKey parameters can be given to specify multiple
  keys.  The subsections of the /SignKey parameter must be given in the 
  specified order. 


  can be one of the following:
                     /AllRR          -- this key will be used to sign all records.
                     /DnskeyOnly     -- this key will be used to sign DNSKEY record
                                        set at zone root only.

   gives the user the ability to override ZSK or KSK flag.  If 
  no  is given, a key without the KSK flag will be used to sign all
  records in the zone, and a key with the KSK flag will be used to sign DNSKEY
  record sets at zone root only.

       -- the start time of the validity period of RRSIG records
                     created using this key in YYYYMMDDHHMMSS (4-digit year,
                     2-digit month, 2-digit day, 2-digit hour, 2-digit minute,
                     and 2-digit second).
                     The time is UTC. If  is not given, the validity
                     period will start one hour before the current time.
         -- the end time of the validity period of RRSIG records
                     in YYYYMMDDHHMMSS (4-digit year, 2-digit month, 2-digit
                     day, 2-digit hour, 2-digit minute, and 2-digit second).
                     The time is UTC. If  is not given, the validity
                     period will end 30 days from the beginning of validity
                     period for zone signing keys or 13 months from the
                     beginning of the validity period for key signing keys.

            can contain the following options: 
                     /Alg  [/Flags ]

          -- the key algorithm mnemonic string. Currently only 
                     "RSASHA1", "NSEC3RSASHA1", "RSASHA256", "RSASHA512",
                     "ECDSAP256SHA256" and "ECDSAP384SHA384" are supported.
        -- bits to be set to 1 in DNSKEY flags field. If 
                     is "KSK", the Secure Entry Point bit will be set to 1
                     to indicate that this key is a Key Signing Key. If no
                      parameter is given, the key is considered to be
                     a Zone Signing Key.
  If the key is a certificate generated by /OfflineSign /GenKey command,
  the user does not need to give .  The tool is able to extract the
  information from the subject of the certificate.