diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch
new file mode 100644
index 0000000..4559fe5
--- /dev/null
+++ b/bind-9.14-config-pkcs11.patch
@@ -0,0 +1,119 @@
+From 0427e970f0294cadf4dff04021f41e751c713e3c Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 18 Oct 2019 21:30:52 +0200
+Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
+
+Building two variants with the same common code requires to unset
+USE_PKCS11 on part of build. That is not possible with config.h value.
+Move it as normal define to CDEFINES.
+---
+ bin/confgen/Makefile.in | 2 +-
+ bin/dig/Makefile.in     | 2 +-
+ bin/dnssec/Makefile.in  | 2 +-
+ bin/named/Makefile.in   | 2 +-
+ configure.ac            | 8 ++++++--
+ lib/dns/Makefile.in     | 2 +-
+ lib/ns/Makefile.in      | 2 +-
+ 7 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
+index dc3a7f6..1e0fe0e 100644
+--- a/bin/confgen/Makefile.in
++++ b/bin/confgen/Makefile.in
+@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
+ CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+ 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+ 
+-CDEFINES =
++CDEFINES = @USE_PKCS11@
+ CWARNINGS =
+ 
+ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
+index 0601939..2317ec0 100644
+--- a/bin/dig/Makefile.in
++++ b/bin/dig/Makefile.in
+@@ -21,7 +21,7 @@ CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
+ 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
+ 		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
+ 
+-CDEFINES =	-DVERSION=\"${VERSION}\"
++CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
+ CWARNINGS =
+ 
+ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
+index 321058b..1dad340 100644
+--- a/bin/dnssec/Makefile.in
++++ b/bin/dnssec/Makefile.in
+@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
+ 
+ CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
+ 
+-CDEFINES =	-DVERSION=\"${VERSION}\"
++CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
+ CWARNINGS =
+ 
+ DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+index eecfa76..e5b0d4b 100644
+--- a/bin/named/Makefile.in
++++ b/bin/named/Makefile.in
+@@ -49,7 +49,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+ 		${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ 		@OPENSSL_INCLUDES@
+ 
+-CDEFINES =      @CONTRIB_DLZ@
++CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@
+ 
+ CWARNINGS =
+ 
+diff --git a/configure.ac b/configure.ac
+index da6de97..6d4cdcc 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -963,9 +963,13 @@ AS_CASE([$enable_native_pkcs11],
+ AC_SUBST([PKCS11_TEST])
+ AC_SUBST([PKCS11_TOOLS])
+ 
++USE_PKCS11=
++USE_OPENSSL=
+ AS_CASE([$CRYPTO],
+-	[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
+-	[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
++	[pkcs11],[USE_PKCS11='-DUSE_PKCS11'],
++	[USE_OPENSSL='-DUSE_OPENSSL'])
++AC_SUBST(USE_PKCS11)
++AC_SUBST(USE_OPENSSL)
+ 
+ # preparation for automake
+ # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
+diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
+index 60c87a8..9125b10 100644
+--- a/lib/dns/Makefile.in
++++ b/lib/dns/Makefile.in
+@@ -30,7 +30,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+ 		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
+ 
+-CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO}
++CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_OPENSSL@ @USE_PKCS11@
+ 
+ CWARNINGS =
+ 
+diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in
+index a14728d..58d731a 100644
+--- a/lib/ns/Makefile.in
++++ b/lib/ns/Makefile.in
+@@ -24,7 +24,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
+ 		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ 		@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
+ 
+-CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
++CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
+ 
+ CWARNINGS =
+ 
+-- 
+2.20.1
+
diff --git a/bind-9.14-disable-isc-pkcs11.patch b/bind-9.14-disable-isc-pkcs11.patch
new file mode 100644
index 0000000..b8ee475
--- /dev/null
+++ b/bind-9.14-disable-isc-pkcs11.patch
@@ -0,0 +1,180 @@
+From f354e06035a6661b29f665890933c9d0108cd3e5 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 18 Oct 2019 21:55:19 +0200
+Subject: [PATCH] Do not define ISC_PKCS11_INCLUDES
+
+isc library is no longer different. Just dns library is different.
+Do not try to use isc-pkcs11 library for no reason.
+---
+ bin/dnssec-pkcs11/Makefile.in    |  8 ++++----
+ bin/named-pkcs11/Makefile.in     | 10 +++++-----
+ bin/pkcs11/Makefile.in           |  6 +++---
+ configure.ac                     | 15 ---------------
+ lib/Makefile.in                  |  2 +-
+ lib/dns-pkcs11/tests/Makefile.in |  4 ++--
+ make/includes.in                 |  6 ------
+ 7 files changed, 15 insertions(+), 36 deletions(-)
+
+diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
+index 5067ee1..54b9f10 100644
+--- a/bin/dnssec-pkcs11/Makefile.in
++++ b/bin/dnssec-pkcs11/Makefile.in
+@@ -15,17 +15,17 @@ VERSION=@BIND9_VERSION@
+ 
+ @BIND9_MAKE_INCLUDES@
+ 
+-CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} @OPENSSL_INCLUDES@
++CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
+ 
+ CDEFINES =	-DVERSION=\"${VERSION}\"
+ CWARNINGS =
+ 
+ DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+-ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@ @OPENSSL_LIBS@
+-ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ @OPENSSL_LIBS@
++ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
++ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ 
+ DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
+-ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
++ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ 
+ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+ 
+diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
+index 416e12e..a0e8314 100644
+--- a/bin/named-pkcs11/Makefile.in
++++ b/bin/named-pkcs11/Makefile.in
+@@ -43,9 +43,9 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+ 
+ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+-		${NS_INCLUDES} ${DNS_PKCS11_INCLUDES} \
++		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
+ 		${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
+-		${ISC_PKCS11_INCLUDES} ${DLZDRIVER_INCLUDES} \
++		${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
+ 		${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ 		@OPENSSL_INCLUDES@
+ 
+@@ -56,15 +56,15 @@ CWARNINGS =
+ DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+-ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@ @OPENSSL_LIBS@
+-ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ @OPENSSL_LIBS@
++ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
++ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ NSLIBS =	../../lib/ns/libns.@A@
+ 
+ DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+-ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
++ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ NSDEPLIBS =	../../lib/ns/libns.@A@
+ 
+diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
+index 0e542f3..96aec05 100644
+--- a/bin/pkcs11/Makefile.in
++++ b/bin/pkcs11/Makefile.in
+@@ -13,13 +13,13 @@ top_srcdir =	@top_srcdir@
+ 
+ @BIND9_MAKE_INCLUDES@
+ 
+-CINCLUDES =	${ISC_PKCS11_INCLUDES}
++CINCLUDES =	${ISC_INCLUDES}
+ 
+ CDEFINES =
+ 
+-ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@ @OPENSSL_LIBS@
++ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ 
+-ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
++ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ 
+ DEPLIBS =	${ISCDEPLIBS}
+ 
+diff --git a/configure.ac b/configure.ac
+index 6d4cdcc..39c1d95 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2535,7 +2535,6 @@ if test "X$srcdir" != "X"; then
+ 	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
+ 	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+ 	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
+-	BIND9_ISC_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc-pkcs11/include"
+ 	BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
+ 	BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
+ else
+@@ -3114,20 +3113,6 @@ AC_CONFIG_FILES([
+ 	lib/isc/unix/include/Makefile
+ 	lib/isc/unix/include/isc/Makefile
+ 	lib/isc/unix/include/pkcs11/Makefile
+-	lib/isc-pkcs11/pthreads/Makefile
+-	lib/isc-pkcs11/pthreads/include/Makefile
+-	lib/isc-pkcs11/pthreads/include/isc/Makefile
+-	lib/isc-pkcs11/Makefile
+-	lib/isc-pkcs11/include/Makefile
+-	lib/isc-pkcs11/include/isc/Makefile
+-	lib/isc-pkcs11/include/isc/platform.h
+-	lib/isc-pkcs11/include/pk11/Makefile
+-	lib/isc-pkcs11/include/pkcs11/Makefile
+-	lib/isc-pkcs11/tests/Makefile
+-	lib/isc-pkcs11/unix/Makefile
+-	lib/isc-pkcs11/unix/include/Makefile
+-	lib/isc-pkcs11/unix/include/isc/Makefile
+-	lib/isc-pkcs11/unix/include/pkcs11/Makefile
+ 	lib/isccc/Makefile
+ 	lib/isccc/include/Makefile
+ 	lib/isccc/include/isccc/Makefile
+diff --git a/lib/Makefile.in b/lib/Makefile.in
+index 439d748..3f655e8 100644
+--- a/lib/Makefile.in
++++ b/lib/Makefile.in
+@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
+ # Attempt to disable parallel processing.
+ .NOTPARALLEL:
+ .NO_PARALLEL:
+-SUBDIRS =	isc isc-pkcs11 isccc dns dns-pkcs11 ns isccfg bind9 irs samples
++SUBDIRS =	isc isccc dns dns-pkcs11 ns isccfg bind9 irs samples
+ TARGETS =
+ 
+ @BIND9_MAKE_RULES@
+diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
+index 9f78596..ac187c9 100644
+--- a/lib/dns-pkcs11/tests/Makefile.in
++++ b/lib/dns-pkcs11/tests/Makefile.in
+@@ -19,8 +19,8 @@ CINCLUDES =	-I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} \
+ 		@OPENSSL_INCLUDES@ @CMOCKA_CFLAGS@
+ CDEFINES =	-DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+ 
+-ISCLIBS =	../../isc-pkcs11/libisc-pkcs11.@A@
+-ISCDEPLIBS =	../../isc-pkcs11/libisc-pkcs11.@A@
++ISCLIBS =	../../isc/libisc.@A@
++ISCDEPLIBS =	../../isc/libisc.@A@
+ DNSLIBS =	../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ DNSDEPLIBS =	../libdns-pkcs11.@A@
+ 
+diff --git a/make/includes.in b/make/includes.in
+index 6e6572b..7b17738 100644
+--- a/make/includes.in
++++ b/make/includes.in
+@@ -40,12 +40,6 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+ TEST_INCLUDES = \
+ 	-I${top_srcdir}/lib/tests/include
+ 
+-ISC_PKCS11_INCLUDES = @BIND9_ISC_PKCS11_BUILDINCLUDE@ \
+-	-I${top_srcdir}/lib/isc-pkcs11 \
+-	-I${top_srcdir}/lib/isc-pkcs11/include \
+-	-I${top_srcdir}/lib/isc-pkcs11/unix/include \
+-	-I${top_srcdir}/lib/isc-pkcs11/pthreads/include
+-
+ DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
+ 	-I${top_srcdir}/lib/dns-pkcs11/include
+ 
+-- 
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index 92240f7..df6cc92 100644
--- a/bind.spec
+++ b/bind.spec
@@ -126,15 +126,19 @@ Patch112:bind97-rh645544.patch
 Patch130:bind-9.9.1-P2-dlz-libdb.patch
 Patch131:bind-9.9.1-P2-multlib-conflict.patch
 Patch133:bind99-rh640538.patch
+# Make PKCS11 used only for pkcs11 parts
+Patch135:bind-9.14-config-pkcs11.patch
 # Fedora specific patch to distribute native-pkcs#11 functionality
 Patch136:bind-9.10-dist-native-pkcs11.patch
+# Do not use isc-pkcs11.
+# FIXME: should be part of Patch136
+Patch138:bind-9.14-disable-isc-pkcs11.patch
+Patch149:bind-9.11-kyua-pkcs11.patch
 
 # [ISC-Bugs #42525] non-portable use of strlcat in contrib/sdb/ldap/zone2ldap.c
 # introduced by https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=fc9f0ac5778f78003a7acc957a23711811fec122
 Patch137:bind-9.10-use-of-strlcat.patch
 Patch140:bind-9.11-rh1410433.patch
-# [ISC-Bugs #46853] commit cb616c6d5c2ece1fac37fa6e0bca2b53d4043098 ISC 4851
-Patch149:bind-9.11-kyua-pkcs11.patch
 # Avoid conflicts with OpenSSL PKCS11 engine
 Patch150:bind-9.11-engine-pkcs11.patch
 Patch153:bind-9.11-export-suffix.patch
@@ -581,11 +585,13 @@ are used for building ISC DHCP.
 %patch187 -p1 -b .oot-gen
 
 %if %{with PKCS11}
+%patch135 -p1 -b .config-pkcs11
 cp -r bin/named{,-pkcs11}
 cp -r bin/dnssec{,-pkcs11}
 cp -r lib/isc{,-pkcs11}
 cp -r lib/dns{,-pkcs11}
 %patch136 -p1 -b .dist_pkcs11
+%patch138 -p1 -b .no-isc-pkcs11
 %patch149 -p1 -b .kyua-pkcs11
 %patch150 -p1 -b .engine-pkcs11
 %endif