By default, the output format is the text form of a DNS KEY record; the host name is the one included in the key information (or, if that is not available, the output of hostname --fqdn), with a . appended. If information about how the key was generated is available, that is provided as a DNS-file comment. For example (with the key data trimmed down for clarity):
; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 xy.example.com. IN KEY 0x4200 4 1 AQOF8tZ2...+buFuFn/
The --txt option causes the output to be in opportunistic-encryption DNS TXT record format, with the specified gateway value. Again, generation information is included if available. For example, --txt 10.11.12.13 might give (with the key data trimmed for clarity):
; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
IN TXT "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
No name is supplied in the TXT record because there are too many possibilities, depending on how it will be used.
The --left and --right options cause the output to be in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. Again, generation information is included if available. For example, --left might give (with the key data trimmed down for clarity):
# RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 leftrsasigkey=0x0103cc2a86fcf440...cf1011abb82d1
Normally, the default key for this host is the one extracted. The --id option overrides this, causing extraction of the key labeled with the specified identity, if any.
The --file option overrides the default for where the key information should be found, and takes it from the specified secretfile.
The need to specify the gateway address (etc.) for --txt is annoying, but there is no good way to determine it automatically.
There should be a way to specify the priority value for TXT records; currently it is hardwired to 10.
The --id option assumes that the identity appears on the same line as the : RSA { that begins the key proper.