The DNSSEC-keygen -n HOST will create a key pair. The key material is the same in both the private and public part of the key.
	Ônamed.confÕ is normally world readable. To protect your keys put them in a separate root only readable  ÒkeyfileÓ and use  include ÒkeyfileÓ; in your named.conf.