diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch
index c1b479a..b623f58 100644
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@@ -12,7 +12,7 @@ index 9ad7f62..094775a 100644
  TARGETS =
  
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index 1e0fe0e..dc3a7f6 100644
+index ef3e70c..1f5165a 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
 @@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
@@ -24,61 +24,55 @@ index 1e0fe0e..dc3a7f6 100644
  CWARNINGS =
  
  ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
-index 2317ec0..0601939 100644
---- a/bin/dig/Makefile.in
-+++ b/bin/dig/Makefile.in
-@@ -21,7 +21,7 @@ CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
- 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
- 		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
- 
--CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
-+CDEFINES =	-DVERSION=\"${VERSION}\"
- CWARNINGS =
- 
- ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
-index 1dad340..ffac64e 100644
+index 7486bf0..7d791d1 100644
 --- a/bin/dnssec-pkcs11/Makefile.in
 +++ b/bin/dnssec-pkcs11/Makefile.in
-@@ -15,16 +15,16 @@ VERSION=@BIND9_VERSION@
+@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
  
  @BIND9_MAKE_INCLUDES@
  
--CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
-+CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
+-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
++CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+ 		${OPENSSL_CFLAGS}
  
- CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
+-CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
++CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
  CWARNINGS =
  
 -DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 +DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
- ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
- ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
+ ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
  
 -DNSDEPLIBS =	../../lib/dns/libdns.@A@
 +DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
  ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
  
- DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-@@ -34,11 +34,11 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
- NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+@@ -36,12 +36,15 @@ LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
  
+ NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+ 
++# Add suffix to all targets
++EXEEXT =	-pkcs11@EXEEXT@
++
  # Alphabetically
 -TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
 -		dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
 -		dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
 -		dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
 -		dnssec-verify@EXEEXT@
-+TARGETS =	dnssec-cds-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
-+		dnssec-importkey-pkcs11@EXEEXT@ dnssec-keyfromlabel-pkcs11@EXEEXT@ \
-+		dnssec-keygen-pkcs11@EXEEXT@ dnssec-revoke-pkcs11@EXEEXT@ \
-+		dnssec-settime-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
-+		dnssec-verify-pkcs11@EXEEXT@
++TARGETS =	dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
++		dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
++		dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
++		dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
++		dnssec-verify${EXEEXT}
  
  OBJS =		dnssectool.@O@
  
-@@ -61,19 +61,19 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
+@@ -64,19 +67,19 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
  
  @BIND9_MAKE_RULES@
  
@@ -102,7 +96,7 @@ index 1dad340..ffac64e 100644
  	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
  	${FINALBUILDCMD}
  
-@@ -81,7 +81,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
+@@ -84,7 +87,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
  	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
  		-c ${srcdir}/dnssec-signzone.c
  
@@ -111,7 +105,7 @@ index 1dad340..ffac64e 100644
  	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
  	${FINALBUILDCMD}
  
-@@ -89,19 +89,19 @@ dnssec-verify.@O@: dnssec-verify.c
+@@ -92,19 +95,19 @@ dnssec-verify.@O@: dnssec-verify.c
  	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
  		-c ${srcdir}/dnssec-verify.c
  
@@ -135,7 +129,7 @@ index 1dad340..ffac64e 100644
  	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
  	dnssec-importkey.@O@ ${OBJS} ${LIBS}
  
-@@ -112,16 +112,14 @@ docclean manclean maintainer-clean::
+@@ -115,16 +118,14 @@ docclean manclean maintainer-clean::
  
  installdirs:
  	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -153,33 +147,36 @@ index 1dad340..ffac64e 100644
  	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
  
  clean distclean::
-diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1dad340..321058b 100644
---- a/bin/dnssec/Makefile.in
-+++ b/bin/dnssec/Makefile.in
-@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
- 
- CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
- 
--CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
-+CDEFINES =	-DVERSION=\"${VERSION}\"
- CWARNINGS =
- 
- DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
-index e5b0d4b..b739869 100644
+index cb187e5..1bcb249 100644
 --- a/bin/named-pkcs11/Makefile.in
 +++ b/bin/named-pkcs11/Makefile.in
-@@ -43,7 +43,7 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
- DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
+ 
+ DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+ 
+-DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
+-DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
+-DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+-DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
++# Skip building on PKCS11 variant
++DLZDRIVER_OBJS =
++DLZDRIVER_SRCS =
++DLZDRIVER_INCLUDES =
++DLZDRIVER_LIBS =
  
  CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 -		${NS_INCLUDES} ${DNS_INCLUDES} \
 +		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
  		${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
  		${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
- 		${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
-@@ -53,37 +53,37 @@ CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@
+ 		${DBDRIVER_INCLUDES} \
+@@ -53,24 +54,24 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+ 		${MAXMINDDB_CFLAGS} \
+ 		${ZLIB_CFLAGS}
+ 
+-CDEFINES =      @CONTRIB_DLZ@
++CDEFINES =
  
  CWARNINGS =
  
@@ -187,8 +184,8 @@ index e5b0d4b..b739869 100644
 +DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
  ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
  ISCCCLIBS =	../../lib/isccc/libisccc.@A@
- ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
- ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
+ ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
  BIND9LIBS =	../../lib/bind9/libbind9.@A@
 -NSLIBS =	../../lib/ns/libns.@A@
 +NSLIBS =	../../lib/ns-pkcs11/libns-pkcs11.@A@
@@ -204,47 +201,16 @@ index e5b0d4b..b739869 100644
  
  DEPLIBS =	${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
  		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
- 
- LIBS =		${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
- 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
--		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBCAP_LIBS@ \
-+		@LIBCAP_LIBS@ \
- 		@LIBS@
- 
- NOSYMLIBS =	${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
- 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
--		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBCAP_LIBS@ \
-+		@LIBCAP_LIBS@ \
- 		@LIBS@
+@@ -87,7 +88,7 @@ NOSYMLIBS =	${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
  
  SUBDIRS =	unix
  
 -TARGETS =	named@EXEEXT@ feature-test@EXEEXT@
 +TARGETS =	named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
  
- GEOIPLINKOBJS = geoip.@O@
  GEOIP2LINKOBJS = geoip.@O@
-@@ -93,8 +93,7 @@ OBJS =		builtin.@O@ config.@O@ control.@O@ \
- 		@GEOIPLINKOBJS@ @GEOIP2LINKOBJS@ \
- 		log.@O@ logconf.@O@ main.@O@ \
- 		server.@O@ statschannel.@O@ \
--		tkeyconf.@O@ tsigconf.@O@ zoneconf.@O@ \
--		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
-+		tkeyconf.@O@ tsigconf.@O@ zoneconf.@O@
- 
- UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
- 
-@@ -108,8 +107,7 @@ SRCS =		builtin.c config.c control.c \
- 		@GEOIPLINKSRCS@ @GEOIP2LINKSRCS@ \
- 		log.c logconf.c main.c \
- 		server.c statschannel.c \
--		tkeyconf.c tsigconf.c zoneconf.c \
--		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
-+		tkeyconf.c tsigconf.c zoneconf.c
- 
- MANPAGES =	named.8 named.conf.5
- 
-@@ -149,7 +147,7 @@ server.@O@: server.c
+ 
+@@ -151,7 +152,7 @@ server.@O@: server.c
  		-DPRODUCT=\"${PRODUCT}\" \
  		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
  
@@ -253,7 +219,7 @@ index e5b0d4b..b739869 100644
  	export MAKE_SYMTABLE="yes"; \
  	export BASEOBJS="${OBJS} ${UOBJS}"; \
  	${FINALBUILDCMD}
-@@ -159,7 +157,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
  	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
  		-c ${top_srcdir}/bin/tests/system/feature-test.c
  
@@ -262,7 +228,7 @@ index e5b0d4b..b739869 100644
  	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
  		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
  
-@@ -192,13 +190,13 @@ install-man8: named.8
+@@ -194,13 +195,13 @@ install-man8: named.8
  
  install-man: install-man5 install-man8
  
@@ -279,24 +245,11 @@ index e5b0d4b..b739869 100644
  
  @DLZ_DRIVER_RULES@
  
-diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index e5b0d4b..eecfa76 100644
---- a/bin/named/Makefile.in
-+++ b/bin/named/Makefile.in
-@@ -49,7 +49,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
- 		${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		@OPENSSL_INCLUDES@
- 
--CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@
-+CDEFINES =      @CONTRIB_DLZ@
- 
- CWARNINGS =
- 
 diff --git a/configure.ac b/configure.ac
-index 6cce3bb..d80ae31 100644
+index de6a248..e95ef36 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1276,12 +1276,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1196,12 +1196,14 @@ AC_SUBST(USE_GSSAPI)
  AC_SUBST(DST_GSSAPI_INC)
  AC_SUBST(DNS_GSSAPI_LIBS)
  DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
@@ -311,7 +264,7 @@ index 6cce3bb..d80ae31 100644
  
  #
  # was --with-lmdb specified?
-@@ -2522,6 +2524,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
+@@ -2296,6 +2298,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
  AC_SUBST(BIND9_NS_BUILDINCLUDE)
  AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
  AC_SUBST(BIND9_IRS_BUILDINCLUDE)
@@ -320,7 +273,7 @@ index 6cce3bb..d80ae31 100644
  if test "X$srcdir" != "X"; then
  	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
  	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
-@@ -2530,6 +2534,8 @@ if test "X$srcdir" != "X"; then
+@@ -2304,6 +2308,8 @@ if test "X$srcdir" != "X"; then
  	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
  	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
  	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
@@ -329,7 +282,7 @@ index 6cce3bb..d80ae31 100644
  else
  	BIND9_ISC_BUILDINCLUDE=""
  	BIND9_ISCCC_BUILDINCLUDE=""
-@@ -2538,6 +2544,8 @@ else
+@@ -2312,6 +2318,8 @@ else
  	BIND9_NS_BUILDINCLUDE=""
  	BIND9_BIND9_BUILDINCLUDE=""
  	BIND9_IRS_BUILDINCLUDE=""
@@ -338,7 +291,7 @@ index 6cce3bb..d80ae31 100644
  fi
  
  AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
-@@ -3001,8 +3009,11 @@ AC_CONFIG_FILES([
+@@ -2771,8 +2779,11 @@ AC_CONFIG_FILES([
  	bin/delv/Makefile
  	bin/dig/Makefile
  	bin/dnssec/Makefile
@@ -350,7 +303,7 @@ index 6cce3bb..d80ae31 100644
  	bin/nsupdate/Makefile
  	bin/pkcs11/Makefile
  	bin/plugins/Makefile
-@@ -3075,6 +3086,10 @@ AC_CONFIG_FILES([
+@@ -2843,6 +2854,10 @@ AC_CONFIG_FILES([
  	lib/dns/include/dns/Makefile
  	lib/dns/include/dst/Makefile
  	lib/dns/tests/Makefile
@@ -361,7 +314,7 @@ index 6cce3bb..d80ae31 100644
  	lib/irs/Makefile
  	lib/irs/include/Makefile
  	lib/irs/include/irs/Makefile
-@@ -3107,6 +3122,10 @@ AC_CONFIG_FILES([
+@@ -2875,6 +2890,10 @@ AC_CONFIG_FILES([
  	lib/ns/include/Makefile
  	lib/ns/include/ns/Makefile
  	lib/ns/tests/Makefile
@@ -371,7 +324,7 @@ index 6cce3bb..d80ae31 100644
 +	lib/ns-pkcs11/tests/Makefile
  	lib/samples/Makefile
  	lib/samples/Makefile-postinstall
- 	unit/unittest.sh
+ 	make/Makefile
 diff --git a/lib/Makefile.in b/lib/Makefile.in
 index ffa2d5a..6fbc192 100644
 --- a/lib/Makefile.in
@@ -386,24 +339,27 @@ index ffa2d5a..6fbc192 100644
  
  @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 9125b10..593270d 100644
+index 0ef3b5f..80683c2 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
-@@ -26,11 +26,11 @@ VERSION=@BIND9_VERSION@
+@@ -26,14 +26,14 @@ VERSION=@BIND9_VERSION@
  
  USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
  
 -CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 +CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
- 		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
+ 		${ISC_INCLUDES} \
+ 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
+ 		${JSON_C_CFLAGS} \
+ 		${LIBXML2_CFLAGS} \
+ 		${MAXMINDDB_CFLAGS}
  
--CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_OPENSSL@ @USE_PKCS11@
-+CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@ -DUSE_OPENSSL=0
+-CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO}
++CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@
  
  CWARNINGS =
  
-@@ -138,15 +138,15 @@ version.@O@: version.c
+@@ -139,15 +139,15 @@ version.@O@: version.c
  		-DLIBAGE=${LIBAGE} \
  		-c ${srcdir}/version.c
  
@@ -423,7 +379,7 @@ index 9125b10..593270d 100644
  
  include: gen
  	${MAKE} include/dns/enumtype.h
-@@ -177,22 +177,22 @@ gen: gen.c
+@@ -178,22 +178,22 @@ gen: gen.c
  	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
  	${BUILD_LIBS} ${LFS_LIBS}
  
@@ -452,7 +408,7 @@ index 9125b10..593270d 100644
  	rm -f include/dns/rdatastruct.h
  	rm -f dnstap.pb-c.c dnstap.pb-c.h
 diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 0e91523..9351c3f 100644
+index fd8ebb9..9384a4f 100644
 --- a/lib/dns-pkcs11/tests/Makefile.in
 +++ b/lib/dns-pkcs11/tests/Makefile.in
 @@ -15,14 +15,14 @@ VERSION=@BIND9_VERSION@
@@ -461,11 +417,11 @@ index 0e91523..9351c3f 100644
  
 -CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
 +CINCLUDES =	-I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
- 		@OPENSSL_INCLUDES@ @CMOCKA_CFLAGS@
+ 		${OPENSSL_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
 -CDEFINES =	-DTESTS="\"${top_builddir}/lib/dns/tests/\""
 +CDEFINES =	@USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
  
- ISCLIBS =	../../isc/libisc.@A@ @OPENSSL_LIBS@
+ ISCLIBS =	../../isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
  ISCDEPLIBS =	../../isc/libisc.@A@
 -DNSLIBS =	../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 -DNSDEPLIBS =	../libdns.@A@
@@ -474,24 +430,11 @@ index 0e91523..9351c3f 100644
  
  LIBS =		@LIBS@ @CMOCKA_LIBS@
  
-diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
-index 9125b10..70644d8 100644
---- a/lib/dns/Makefile.in
-+++ b/lib/dns/Makefile.in
-@@ -30,7 +30,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- 		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
- 
--CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_OPENSSL@ @USE_PKCS11@
-+CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_OPENSSL@
- 
- CWARNINGS =
- 
 diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
-index 58d731a..47b4b98 100644
+index 97aaaf6..c7ffc7b 100644
 --- a/lib/ns-pkcs11/Makefile.in
 +++ b/lib/ns-pkcs11/Makefile.in
-@@ -20,8 +20,8 @@ VERSION=@BIND9_VERSION@
+@@ -20,11 +20,11 @@ VERSION=@BIND9_VERSION@
  
  USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
  
@@ -499,10 +442,14 @@ index 58d731a..47b4b98 100644
 -		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
 +CINCLUDES =	-I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
 +		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
- 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
+ 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@
  
- CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
-@@ -32,9 +32,9 @@ ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+-CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
++CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
+ 
+ CWARNINGS =
+ 
+@@ -32,9 +32,9 @@ ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS
  
  ISCDEPLIBS =	../../lib/isc/libisc.@A@
  
@@ -552,20 +499,21 @@ index 58d731a..47b4b98 100644
 -	rm -f libns.@A@ timestamp
 +	rm -f libns-pkcs11.@A@ timestamp
 diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
-index ffd8f41..4a6cb1b 100644
+index 70c77a4..87955a7 100644
 --- a/lib/ns-pkcs11/tests/Makefile.in
 +++ b/lib/ns-pkcs11/tests/Makefile.in
-@@ -15,16 +15,16 @@ VERSION=@BIND9_VERSION@
- 
- @BIND9_MAKE_INCLUDES@
+@@ -21,17 +21,17 @@ WRAP_NAME =	-Wl,-install_name,${top_builddir}/lib/ns/tests/$@
+ WRAP_RPATH =	-Wl,-rpath,${top_builddir}/lib/ns/tests
+ WRAP_LIB =	-L${top_builddir}/lib/ns/tests -lwrap
  
 -CINCLUDES =	-I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
 +CINCLUDES =	-I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
- 		@OPENSSL_INCLUDES@ @CMOCKA_CFLAGS@
+ 		${OPENSSL_CFLAGS} \
+ 		@CMOCKA_CFLAGS@
 -CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
-+CDEFINES =	@USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
++CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
  
- ISCLIBS =	../../isc/libisc.@A@ @OPENSSL_LIBS@
+ ISCLIBS =	../../isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
  ISCDEPLIBS =	../../isc/libisc.@A@
 -DNSLIBS =	../../dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 -DNSDEPLIBS =	../../dns/libdns.@A@
@@ -578,19 +526,6 @@ index ffd8f41..4a6cb1b 100644
  
  LIBS =		@LIBS@ @CMOCKA_LIBS@
  
-diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in
-index 58d731a..a14728d 100644
---- a/lib/ns/Makefile.in
-+++ b/lib/ns/Makefile.in
-@@ -24,7 +24,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
- 		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
- 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
- 
--CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
-+CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
- 
- CWARNINGS =
- 
 diff --git a/make/includes.in b/make/includes.in
 index 48cdaf7..7b17738 100644
 --- a/make/includes.in
diff --git a/bind-9.11-engine-pkcs11.patch b/bind-9.11-engine-pkcs11.patch
deleted file mode 100644
index 4a6290d..0000000
--- a/bind-9.11-engine-pkcs11.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Tue, 27 Aug 2019 20:39:59 +0200
-Subject: [PATCH] Do not set engine for native PKCS11
-
-It resets already set lib_path to pkcs11, which is invalid in native
-pkcs11 crypto. Engine has to be path to PKCS#11 module.
----
- bin/named/include/named/globals.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
-index eda2214..2a611d5 100644
---- a/bin/named/include/named/globals.h
-+++ b/bin/named/include/named/globals.h
-@@ -160,7 +160,7 @@ EXTERN const char *		ns_g_defaultdnstap	INIT(NULL);
- 
- EXTERN const char *		ns_g_username		INIT(NULL);
- 
--#if defined(USE_PKCS11)
-+#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
- EXTERN const char *		ns_g_engine		INIT(PKCS11_ENGINE);
- #else
- EXTERN const char *		ns_g_engine		INIT(NULL);
--- 
-2.20.1
-
diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch
index cf73a1c..a71d772 100644
--- a/bind-9.14-config-pkcs11.patch
+++ b/bind-9.14-config-pkcs11.patch
@@ -1,4 +1,4 @@
-From 233d3784d04bee37b772f391da8726f0cd7b223e Mon Sep 17 00:00:00 2001
+From 2d8abd838870b58629ce55df411b6ba1b2c7288f Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 18 Oct 2019 21:30:52 +0200
 Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
@@ -8,17 +8,12 @@ USE_PKCS11 on part of build. That is not possible with config.h value.
 Move it as normal define to CDEFINES.
 ---
  bin/confgen/Makefile.in |  2 +-
- bin/dig/Makefile.in     |  2 +-
- bin/dnssec/Makefile.in  |  2 +-
- bin/named/Makefile.in   |  2 +-
  configure.ac            |  8 ++++++--
- lib/dns/Makefile.in     |  2 +-
  lib/dns/dst_internal.h  | 12 +++++++++---
- lib/ns/Makefile.in      |  2 +-
- 8 files changed, 21 insertions(+), 11 deletions(-)
+ 3 files changed, 16 insertions(+), 6 deletions(-)
 
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index dc3a7f6..1e0fe0e 100644
+index 1f5165a..ef3e70c 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
 @@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
@@ -30,50 +25,11 @@ index dc3a7f6..1e0fe0e 100644
  CWARNINGS =
  
  ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
-index 0601939..2317ec0 100644
---- a/bin/dig/Makefile.in
-+++ b/bin/dig/Makefile.in
-@@ -21,7 +21,7 @@ CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
- 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
- 		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
- 
--CDEFINES =	-DVERSION=\"${VERSION}\"
-+CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
- CWARNINGS =
- 
- ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 321058b..1dad340 100644
---- a/bin/dnssec/Makefile.in
-+++ b/bin/dnssec/Makefile.in
-@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
- 
- CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
- 
--CDEFINES =	-DVERSION=\"${VERSION}\"
-+CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
- CWARNINGS =
- 
- DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index eecfa76..e5b0d4b 100644
---- a/bin/named/Makefile.in
-+++ b/bin/named/Makefile.in
-@@ -49,7 +49,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
- 		${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		@OPENSSL_INCLUDES@
- 
--CDEFINES =      @CONTRIB_DLZ@
-+CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@
- 
- CWARNINGS =
- 
 diff --git a/configure.ac b/configure.ac
-index 80039b7..6cce3bb 100644
+index c69bc37..de6a248 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -963,9 +963,13 @@ AS_CASE([$enable_native_pkcs11],
+@@ -883,9 +883,13 @@ AS_CASE([$enable_native_pkcs11],
  AC_SUBST([PKCS11_TEST])
  AC_SUBST([PKCS11_TOOLS])
  
@@ -89,64 +45,38 @@ index 80039b7..6cce3bb 100644
  
  # preparation for automake
  # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
-diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
-index 60c87a8..9125b10 100644
---- a/lib/dns/Makefile.in
-+++ b/lib/dns/Makefile.in
-@@ -30,7 +30,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- 		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
- 
--CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO}
-+CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_OPENSSL@ @USE_PKCS11@
- 
- CWARNINGS =
- 
 diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
-index bfa28f0..d3ff613 100644
+index bce2a9f..ef9d045 100644
 --- a/lib/dns/dst_internal.h
 +++ b/lib/dns/dst_internal.h
-@@ -40,6 +40,13 @@
+@@ -38,6 +38,13 @@
  #include <isc/stdtime.h>
- #include <isc/hmac.h>
+ #include <isc/types.h>
  
-+#ifndef USE_OPENSSL
-+#define USE_OPENSSL 1
-+#endif
 +#ifndef USE_PKCS11
 +#define USE_PKCS11 0
 +#endif
++#ifndef USE_OPENSSL
++#define USE_OPENSSL (! USE_PKCS11)
++#endif
 +
  #if USE_PKCS11
  #include <pk11/pk11.h>
  #include <pk11/site.h>
-@@ -99,11 +106,10 @@ struct dst_key {
+@@ -98,11 +105,10 @@ struct dst_key {
  		void *generic;
  		gss_ctx_id_t gssctx;
  		DH *dh;
 -#if USE_OPENSSL
 -		EVP_PKEY *pkey;
--#endif
+-#endif /* if USE_OPENSSL */
  #if USE_PKCS11
  		pk11_object_t *pkey;
 +#else
 +		EVP_PKEY *pkey;
- #endif
+ #endif /* if USE_PKCS11 */
  		dst_hmac_key_t *hmac_key;
- 	} keydata;			/*%< pointer to key in crypto pkg fmt */
-diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in
-index a14728d..58d731a 100644
---- a/lib/ns/Makefile.in
-+++ b/lib/ns/Makefile.in
-@@ -24,7 +24,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
- 		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
- 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
- 
--CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
-+CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
- 
- CWARNINGS =
- 
+ 	} keydata; /*%< pointer to key in crypto pkg fmt */
 -- 
-2.20.1
+2.21.1
 
diff --git a/bind.spec b/bind.spec
index c45b2f1..bf11fcf 100644
--- a/bind.spec
+++ b/bind.spec
@@ -57,6 +57,7 @@
 %global sover_isc 1602
 %global sover_irs 1600
 %global sover_isccfg 1600
+%global sover_ns 1602
 
 
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
@@ -115,7 +116,6 @@ Patch149:bind-9.11-kyua-pkcs11.patch
 Patch137:bind-9.10-use-of-strlcat.patch
 Patch140:bind-9.11-rh1410433.patch
 # Avoid conflicts with OpenSSL PKCS11 engine
-Patch150:bind-9.11-engine-pkcs11.patch
 Patch154:bind-9.11-oot-manual.patch
 Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch
@@ -445,7 +445,6 @@ cp -r lib/dns{,-pkcs11}
 cp -r lib/ns{,-pkcs11}
 %patch136 -p1 -b .dist_pkcs11
 %patch149 -p1 -b .kyua-pkcs11
-%patch150 -p1 -b .engine-pkcs11
 %endif
 
 %patch133 -p1 -b .rh640538
@@ -978,7 +977,7 @@ fi;
 %files libs
 %{_libdir}/libbind9.so.1600*
 %{_libdir}/libisccc.so.1600*
-%{_libdir}/libns.so.1602*
+%{_libdir}/libns.so.%{sover_ns}*
 
 %files libs-lite
 %{_libdir}/libdns.so.%{sover_dns}*
@@ -1113,14 +1112,14 @@ fi;
 
 %files pkcs11-libs
 %{_libdir}/libdns-pkcs11.so.%{sover_dns}*
-%{_libdir}/libisc-pkcs11.so.%{sover_isc}*
+%{_libdir}/libns-pkcs11.so.%{sover_ns}*
 
 %files pkcs11-devel
 %{_includedir}/bind9/pk11/*.h
 %exclude %{_includedir}/bind9/pk11/site.h
 %{_includedir}/bind9/pkcs11
 %{_libdir}/libdns-pkcs11.so
-%{_libdir}/libisc-pkcs11.so
+%{_libdir}/libns-pkcs11.so
 %endif
 
 %if %{with DLZ} && %{with BDB}