On Sun Dec 03 08:04:33 2017, muks wrote:
> Francis also came back to me with similar arguments about OpenSSL
> PKCS #11 support. I have checked that his specific claims are untrue.
> 
> If you can list things that don't work, I can check these too.
> 
> Look at: https://github.com/OpenSC/libp11
> 
> This is the better way to install a PKCS #11 OpenSSL engine, not our
> OpenSSL patching and custom build method.

=> libp11 did not support fetch per key label the last time
I looked the code. BTW it is simple to check: build  bind with it
and verify dnssec-keyfromlabel does what it is expected to do.