The patched OpenSSL that ISC provides is, IMHO, a kludge and should not be encouraged. If we have missing features in the Cryptech PKCS#11 provider we should att those. I would be interested in what features are missing for BIND, since OpenDNSSEC works out of the box. jakob