On Tue Aug 23 15:18:42 2016, mat@FreeBSD.org wrote:
> So, the OP says that if the BIND9 port is built with the native-pkcs11
> option, it fails with:
> 
> root@freebsd:~ # dnssec-keyfromlabel -l
> 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' -a RSASHA256 -f KSK
> -v3  -E /usr/local/lib/softhsm/libsofthsm2.so example.com
> dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256: built
> with no crypto support

=> can you check the configure log? There was a bug (was = fixed now)
in configure which can mess the crypto selection and
can give no crypto at all (i.e., not OpenSSL nor PKCS#11).