Native pkcs11 support in bind9 is needed for DNSSEC support in FreeIPA. I've added this to bind9 package here:
https://git.launchpad.net/~tjaalton/ubuntu/+source/bind
It has a patch from Fedora split in two. The first one is applied with quilt along with the rest of the patches, and it just modifies Makefiles & configure to allow building native pkcs11 in the same build with openssl. The second patch is applied manually after copying bin/named, bin/dnssec, lib/isc, lib/dns for a separate build. This patch modifies includes and targets to use correct names for this build.
Neither of the patches touch actual code, and if any new patches are later added that do, the changes are also carried over to the separate build since the directories are copied during build.
The resulting binaries and libraries are added to the existing packages, but it's also possible to ship them separate.
This whole separate build thing is because the current build is with openssl enabled, and I don't know what replacing that with pkcs11 would mean for existing users. Building it separate is guaranteed to not harm anyone.
Status changed to 'Confirmed' because the bug affects multiple users.