"dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256: no PKCS#11 provider" could be more helpful
In the circumstances when it was encountered, the error emitted above when dnssec-keyfromlabel terminated with a fatal error was not helpful for troubleshooting the problem.
What it actually meant (in this instance) was that the syntax of the options provided to the native pkcs11 library was at fault, therefore the library call failed. It didn't mean that the library was inaccessible (although it wasn't possible to access the HSM because of this error).
Since the syntax is defined in the ARM:
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
Perhaps it would have been more useful to parse what was provided and emit a more helpful error if it was not acceptable - or even not to parse but to suggest that the library rejected what it was given - it wasn't that there was no library available (which is what it looks like from the words being used).
(From Support ticket #14117 )