for a Hesiod class zone key:

  dnssec-keygen -a DSA -c HS -b 768 -n ZONE zone.name.

in the zone file, include:

  $INCLUDE "Kzone.name.+003+12345.key"

and then to sign a zone:

  dnssec-signzone -p -c HS -o zone.name zonefile

this writes directly to zonefile.signed, so stage first and
then copy if signature successful

timing:

  Ultra 1/170E

  ~1000 record zone, size ~100K, signzone time:
  170.21u 0.12s 2:56.45 96.5%
  [ sparcv7: 170ms per record ]
  36.92u 0.11s 0:40.23 92.0%
  [ sparcv9: ~37ms per record ]

  ~10000 records, size ~1M, signzone time:
  370.52u 0.93s 7:35.71 81.5%
  [ sparcv9: 6min total, same ~37ms per record ]