I am currently out of my office (~12000 km) and
I'll go back in some hours, so I apologise for
the likely delay for a detailed answer.

BTW there is a new PKCS#11 standard (specs
still required a final vote, include files are not
yet available) but it won't change something as
HMAC has been covered since a long time.

The native PKCS#11 supports *all* the standard
crypto functions needed by named, including hash
and HMAC. So there is nothing to change on this side.

If I understand well you'd like to put secrets in the HSM.
Currently this is supported only for RSA and ECDSA
key pairs (look for a fromlabel methos in dst_funct
arrays. Note for OpenSSL only RSA keys are supported
(sound as ECC is not supported by the PKCS#11
OpenSSL engine).

Anyway it seems reasonable to extend fromlabel to
HMAC secrets as HMAC is already in the DST stuff.
Now I need the opinion of my colleagues if the result
will be to get a PKCS#11 specific feature.

Note I don't yet fully understand your point about
rndc tsig-list. I am afraid the current only way to
configure TSIG keys (aka secrets) is to put them
in the named config file... Surely something which
requires ASAP improvements...