Comment 40 for bug 1710278

I think an external provider can be mentioned via '-E engine-name' (see: NAMED(8))

       -E engine-name
           When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.

           When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service
           module. When BIND is built with native PKCS#11 cryptography (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

I'll have a look our options once I have a binary pkg ready to be installed and tested.