diff --git a/bind-9.18-pkcs11-engine-compat-api.patch b/bind-9.18-pkcs11-engine-compat-api.patch
new file mode 100644
index 0000000..32126f4
--- /dev/null
+++ b/bind-9.18-pkcs11-engine-compat-api.patch
@@ -0,0 +1,1554 @@
+From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 8 Sep 2022 17:19:20 +0200
+Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled
+
+OpenSSL has deprecated many things in version 3.0. If pkcs11 engine
+should work then no builder from OpenSSL 3.0 API can be used.
+
+Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when
+OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow
+working keys loading from the engine passed on command line.
+---
+ lib/dns/openssldh_link.c    | 136 +++++++++++++++++++-----------------
+ lib/dns/opensslecdsa_link.c | 119 +++++++++++++++----------------
+ lib/dns/opensslrsa_link.c   | 118 +++++++++++++++----------------
+ 3 files changed, 189 insertions(+), 184 deletions(-)
+
+diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
+index d5dbc2e889..96c1d523b7 100644
+--- a/lib/dns/openssldh_link.c
++++ b/lib/dns/openssldh_link.c
+@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
+ static isc_result_t
+ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ 			isc_buffer_t *secret) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dhpub, *dhpriv;
+ 	const BIGNUM *pub_key = NULL;
+ 	int secret_len = 0;
+@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ 	EVP_PKEY_CTX *ctx = NULL;
+ 	EVP_PKEY *dhpub, *dhpriv;
+ 	size_t secret_len = 0;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	isc_region_t r;
+ 	unsigned int len;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	REQUIRE(pub->keydata.dh != NULL);
+ 	REQUIRE(priv->keydata.dh != NULL);
+ 
+@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ 	dhpriv = priv->keydata.pkey;
+ 
+ 	len = EVP_PKEY_get_size(dhpriv);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	isc_buffer_availableregion(secret, &r);
+ 	if (r.length < len) {
+ 		return (ISC_R_NOSPACE);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH_get0_key(dhpub, &pub_key, NULL);
+ 	secret_len = DH_compute_key(r.base, pub_key, dhpriv);
+ 	if (secret_len <= 0) {
+@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ 					       DST_R_COMPUTESECRETFAILURE));
+ 	}
+ 	EVP_PKEY_CTX_free(ctx);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	isc_buffer_add(secret, (unsigned int)secret_len);
+ 
+@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ 
+ static bool
+ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh1, *dh2;
+ 	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
+ 	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
+@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
+ 	BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
+ 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	dh1 = key1->keydata.dh;
+ 	dh2 = key2->keydata.dh;
+ 
+@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
+ 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
+ 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/
+ 
+ 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
+ 	    BN_cmp(pub_key1, pub_key2) != 0)
+@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 		}
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ 	if (p1 != NULL) {
+ 		BN_free(p1);
+ 	}
+@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	if (priv_key2 != NULL) {
+ 		BN_clear_free(priv_key2);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
++	*/
+ 
+ 	return (true);
+ }
+ 
+ static bool
+ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh1, *dh2;
+ 	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+ #else
+ 	EVP_PKEY *pkey1, *pkey2;
+ 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	dh1 = key1->keydata.dh;
+ 	dh2 = key2->keydata.dh;
+ 
+@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
+ 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
+ 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
+ 		return (false);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ 	if (p1 != NULL) {
+ 		BN_free(p1);
+ 	}
+@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	if (g2 != NULL) {
+ 		BN_free(g2);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
++	*/
+ 
+ 	return (true);
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ static int
+ progress_cb(int p, int n, BN_GENCB *cb) {
+ 	union {
+@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
+ 	}
+ 	return (1);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ static isc_result_t
+ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 		void (*fptr)(int);
+ 	} u;
+ 	BIGNUM *p = NULL, *g = NULL;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh = NULL;
+ 	BN_GENCB *cb = NULL;
+ #if !HAVE_BN_GENCB_NEW
+@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 	EVP_PKEY_CTX *ctx = NULL;
+ 	EVP_PKEY *param_pkey = NULL;
+ 	EVP_PKEY *pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	dh = DH_new();
+ 	if (dh == NULL) {
+ 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
+@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 	if (param_ctx == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (generator == 0) {
+ 		/*
+@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 			if (p == NULL || g == NULL) {
+ 				DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
+ 			}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 			if (DH_set0_pqg(dh, p, NULL, g) != 1) {
+ 				DST_RET(dst__openssl_toresult2(
+ 					"DH_set0_pqg", DST_R_OPENSSLFAILURE));
+@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 					DST_R_OPENSSLFAILURE));
+ 			}
+ 			params = OSSL_PARAM_BLD_to_param(bld);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 		} else {
+ 			/*
+@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 	}
+ 
+ 	if (generator != 0) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 		cb = BN_GENCB_new();
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		if (cb == NULL) {
+@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 						       DST_R_OPENSSLFAILURE));
+ 		}
+ 		params = OSSL_PARAM_BLD_to_param(bld);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (DH_generate_key(dh) == 0) {
+ 		DST_RET(dst__openssl_toresult2("DH_generate_key",
+ 					       DST_R_OPENSSLFAILURE));
+@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ 
+ 	key->keydata.pkey = pkey;
+ 	pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	ret = ISC_R_SUCCESS;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (dh != NULL) {
+ 		DH_free(dh);
+ 	}
+@@ -594,14 +596,14 @@ err:
+ 	if (g != NULL) {
+ 		BN_free(g);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+ 
+ static bool
+ openssldh_isprivate(const dst_key_t *key) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh = key->keydata.dh;
+ 	const BIGNUM *priv_key = NULL;
+ 
+@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) {
+ 	}
+ 
+ 	return (ret);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ }
+ 
+ static void
+ openssldh_destroy(dst_key_t *key) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh = key->keydata.dh;
+ 
+ 	if (dh == NULL) {
+@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) {
+ 
+ 	EVP_PKEY_free(pkey);
+ 	key->keydata.pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ }
+ 
+ static void
+@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) {
+ 
+ static isc_result_t
+ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh;
+ 	const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+ #else
+ 	EVP_PKEY *pkey;
+ 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	isc_region_t r;
+ 	uint16_t dnslen, plen, glen, publen;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	REQUIRE(key->keydata.dh != NULL);
+ 
+ 	dh = key->keydata.dh;
+@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	isc_buffer_availableregion(data, &r);
+ 
+@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ 	if (p != NULL) {
+ 		BN_free(p);
+ 	}
+@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	if (pub_key != NULL) {
+ 		BN_free(pub_key);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
++	*/
+ 
+ 	return (ISC_R_SUCCESS);
+ }
+@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ static isc_result_t
+ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	isc_result_t ret;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh;
+ #else
+ 	OSSL_PARAM_BLD *bld = NULL;
+ 	OSSL_PARAM *params = NULL;
+ 	EVP_PKEY_CTX *ctx = NULL;
+ 	EVP_PKEY *pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+ 	int key_size;
+ 	isc_region_t r;
+@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	dh = DH_new();
+ 	if (dh == NULL) {
+ 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
+@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	if (ctx == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	/*
+ 	 * Read the prime length.  1 & 2 are table entries, > 16 means a
+@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	key_size = BN_num_bits(p);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (DH_set0_pqg(dh, p, NULL, g) != 1) {
+ 		DST_RET(dst__openssl_toresult2("DH_set0_pqg",
+ 					       DST_R_OPENSSLFAILURE));
+@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 		DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (r.length < 2) {
+ 		DST_RET(DST_R_INVALIDPUBLICKEY);
+@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	isc_buffer_forward(data, plen + glen + publen + 6);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
+ 	(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
+ 	/*
+@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	key->keydata.pkey = pkey;
+ 	pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	key->key_size = (unsigned int)key_size;
+ 
+ 	ret = ISC_R_SUCCESS;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (dh != NULL) {
+ 		DH_free(dh);
+ 	}
+@@ -975,7 +978,7 @@ err:
+ 	if (bld != NULL) {
+ 		OSSL_PARAM_BLD_free(bld);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	if (p != NULL) {
+ 		BN_free(p);
+ 	}
+@@ -991,13 +994,13 @@ err:
+ 
+ static isc_result_t
+ openssldh_tofile(const dst_key_t *key, const char *directory) {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh;
+ 	const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+ #else
+ 	EVP_PKEY *pkey;
+ 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	dst_private_t priv;
+ 	unsigned char *bufs[4] = { NULL };
+ 	unsigned short i = 0;
+@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+ 		return (DST_R_EXTERNALKEY);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (key->keydata.dh == NULL) {
+ 		return (DST_R_NULLKEY);
+ 	}
+@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	priv.elements[i].tag = TAG_DH_PRIME;
+ 	priv.elements[i].length = BN_num_bytes(p);
+@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+ 		}
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ 	if (p != NULL) {
+ 		BN_free(p);
+ 	}
+@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+ 	if (priv_key != NULL) {
+ 		BN_clear_free(priv_key);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
++	*/
+ 
+ 	return (result);
+ }
+@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	dst_private_t priv;
+ 	isc_result_t ret;
+ 	int i;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	DH *dh = NULL;
+ #else
+ 	OSSL_PARAM_BLD *bld = NULL;
+ 	OSSL_PARAM *params = NULL;
+ 	EVP_PKEY_CTX *ctx = NULL;
+ 	EVP_PKEY *pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+ 	int key_size = 0;
+ 	isc_mem_t *mctx;
+@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		DST_RET(DST_R_EXTERNALKEY);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	dh = DH_new();
+ 	if (dh == NULL) {
+ 		DST_RET(ISC_R_NOMEMORY);
+@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	if (ctx == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	for (i = 0; i < priv.nelements; i++) {
+ 		BIGNUM *bn;
+@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		}
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (DH_set0_key(dh, pub_key, priv_key) != 1) {
+ 		DST_RET(dst__openssl_toresult2("DH_set0_key",
+ 					       DST_R_OPENSSLFAILURE));
+@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 
+ 	key->keydata.pkey = pkey;
+ 	pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	key->key_size = (unsigned int)key_size;
+ 	ret = ISC_R_SUCCESS;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (dh != NULL) {
+ 		DH_free(dh);
+ 	}
+@@ -1225,7 +1229,7 @@ err:
+ 	if (bld != NULL) {
+ 		OSSL_PARAM_BLD_free(bld);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	if (p != NULL) {
+ 		BN_free(p);
+ 	}
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 519e88b7e7..04f0d80b5e 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -17,14 +17,14 @@
+ 
+ #include <openssl/bn.h>
+ #include <openssl/opensslv.h>
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ #include <openssl/core_names.h>
+ #endif
+ #include <openssl/ecdsa.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ #include <openssl/param_build.h>
+ #endif
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+@@ -57,7 +57,7 @@
+ 		goto err; \
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ static isc_result_t
+ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
+ 		size_t key_len, EVP_PKEY **pkey) {
+@@ -159,7 +159,8 @@ err:
+ 
+ 	return (ret);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
++	*/
+ 
+ static isc_result_t
+ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	bool ret;
+ 	EVP_PKEY *pkey1 = key1->keydata.pkey;
+ 	EVP_PKEY *pkey2 = key2->keydata.pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey1 = NULL;
+ 	EC_KEY *eckey2 = NULL;
+ 	const BIGNUM *priv1;
+@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ #else
+ 	BIGNUM *priv1 = NULL;
+ 	BIGNUM *priv2 = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (pkey1 == NULL && pkey2 == NULL) {
+ 		return (true);
+@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 		DST_RET(false);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
+ 	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
+ 	if (eckey1 == NULL && eckey2 == NULL) {
+@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ #else
+ 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1);
+ 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (priv1 != NULL || priv2 != NULL) {
+ 		if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0)
+@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	ret = true;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (eckey1 != NULL) {
+ 		EC_KEY_free(eckey1);
+ 	}
+@@ -471,7 +472,7 @@ err:
+ 	if (priv2 != NULL) {
+ 		BN_clear_free(priv2);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ 	isc_result_t ret;
+ 	int status;
+ 	EVP_PKEY *pkey = NULL;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey = NULL;
+ #else
+ 	EVP_PKEY_CTX *ctx = NULL;
+ 	EVP_PKEY *params_pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	int group_nid;
+ 
+ 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ 		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	eckey = EC_KEY_new_by_curve_name(group_nid);
+ 	if (eckey == NULL) {
+ 		DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name",
+@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	key->keydata.pkey = pkey;
+ 	pkey = NULL;
+@@ -573,7 +574,7 @@ err:
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+@@ -584,7 +585,7 @@ err:
+ 	if (ctx != NULL) {
+ 		EVP_PKEY_CTX_free(ctx);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+@@ -593,11 +594,11 @@ static bool
+ opensslecdsa_isprivate(const dst_key_t *key) {
+ 	bool ret;
+ 	EVP_PKEY *pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey;
+ #else
+ 	BIGNUM *priv = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ 		key->key_alg == DST_ALG_ECDSA384);
+@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
+ 		return (false);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+ 
+ 	ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
+@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
+ 	if (priv != NULL) {
+ 		BN_clear_free(priv);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+@@ -640,7 +641,7 @@ static isc_result_t
+ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	isc_result_t ret;
+ 	EVP_PKEY *pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey = NULL;
+ 	int len;
+ 	unsigned char *cp;
+@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	BIGNUM *y = NULL;
+ 	size_t keysize = 0;
+ 	size_t len = 0;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	isc_region_t r;
+ 	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+ 
+@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	pkey = key->keydata.pkey;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+ 	if (eckey == NULL) {
+ 		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
+@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	}
+ 
+ 	len = keysize;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	isc_buffer_availableregion(data, &r);
+ 	if (r.length < (unsigned int)len) {
+ 		DST_RET(ISC_R_NOSPACE);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	cp = buf;
+ 	if (!i2o_ECPublicKey(eckey, &cp)) {
+ 		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
+@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	BN_bn2bin_fixed(x, &buf[0], keysize / 2);
+ 	BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2);
+ 	memmove(r.base, buf, len);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	isc_buffer_add(data, len);
+ 	ret = ISC_R_SUCCESS;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+@@ -721,7 +722,7 @@ err:
+ 	if (y != NULL) {
+ 		BN_clear_free(y);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	isc_result_t ret;
+ 	EVP_PKEY *pkey = NULL;
+ 	isc_region_t r;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey = NULL;
+ 	const unsigned char *cp;
+ 	unsigned int len;
+@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	int group_nid;
+ #else
+ 	size_t len;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ 		key->key_alg == DST_ALG_ECDSA384);
+@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 		DST_RET(DST_R_INVALIDPUBLICKEY);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (key->key_alg == DST_ALG_ECDSA256) {
+ 		group_nid = NID_X9_62_prime256v1;
+ 	} else {
+@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	if (ret != ISC_R_SUCCESS) {
+ 		DST_RET(ret);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	isc_buffer_forward(data, len);
+ 	key->keydata.pkey = pkey;
+@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	ret = ISC_R_SUCCESS;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	return (ret);
+ }
+ 
+@@ -814,13 +815,13 @@ static isc_result_t
+ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
+ 	isc_result_t ret;
+ 	EVP_PKEY *pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey = NULL;
+ 	const BIGNUM *privkey = NULL;
+ #else
+ 	int status;
+ 	BIGNUM *privkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	dst_private_t priv;
+ 	unsigned char *buf = NULL;
+ 	unsigned short i;
+@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
+ 	}
+ 
+ 	pkey = key->keydata.pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+ 	if (eckey == NULL) {
+ 		DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY",
+@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
+ 		DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+ 
+@@ -888,7 +889,7 @@ err:
+ 	if (buf != NULL && privkey != NULL) {
+ 		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+@@ -896,12 +897,12 @@ err:
+ 	if (privkey != NULL) {
+ 		BN_clear_free(privkey);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ static isc_result_t
+ ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
+ 	const EC_POINT *pubkey;
+@@ -1065,9 +1066,9 @@ err:
+ 
+ 	return (ret);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ static isc_result_t
+ load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv,
+ 			     int privkey_index) {
+@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
+ 	}
+ 	return (ISC_R_SUCCESS);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ static isc_result_t
+ finalize_eckey(dst_key_t *key,
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	       EC_KEY *eckey,
+ #endif
+ 	       const char *engine, const char *label) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EVP_PKEY *pkey = NULL;
+ 
+ 	REQUIRE(eckey != NULL);
+@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key,
+ 	}
+ 
+ 	key->keydata.pkey = pkey;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (label != NULL) {
+ 		key->label = isc_mem_strdup(key->mctx, label);
+@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key,
+ 	return (result);
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ static isc_result_t
+ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
+ 	int group_nid;
+@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
+ 
+ 	return (ISC_R_SUCCESS);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ static isc_result_t
+ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+@@ -1173,10 +1174,10 @@ static isc_result_t
+ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	dst_private_t priv;
+ 	isc_result_t ret;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	EC_KEY *eckey = NULL;
+ 	EC_KEY *pubeckey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	const char *engine = NULL;
+ 	const char *label = NULL;
+ 	int i, privkey_index = -1;
+@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 			goto err;
+ 		}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 		eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey);
+ 		if (eckey == NULL) {
+ 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 		}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	} else {
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 		ret = dst__key_to_eckey(key, &eckey);
+ 		if (ret != ISC_R_SUCCESS) {
+ 			goto err;
+@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 				      priv.elements[privkey_index].data,
+ 				      priv.elements[privkey_index].length,
+ 				      &key->keydata.pkey);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 		if (ret != ISC_R_SUCCESS) {
+ 			goto err;
+@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		finalize_key = true;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (pub != NULL && pub->keydata.pkey != NULL) {
+ 		pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
+ 	}
+@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	if (finalize_key) {
+ 		ret = finalize_eckey(key, engine, label);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (pubeckey != NULL) {
+ 		EC_KEY_free(pubeckey);
+ 	}
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	if (ret != ISC_R_SUCCESS) {
+ 		key->keydata.generic = NULL;
+ 	}
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index fc905b7d60..867b486a2f 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -18,7 +18,7 @@
+ 
+ #include <openssl/bn.h>
+ #include <openssl/opensslv.h>
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ #include <openssl/core_names.h>
+ #endif
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+@@ -26,7 +26,7 @@
+ #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
+ #include <openssl/err.h>
+ #include <openssl/objects.h>
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ #include <openssl/param_build.h>
+ #endif
+ #include <openssl/rsa.h>
+@@ -180,12 +180,12 @@ static isc_result_t
+ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
+ 	dst_key_t *key = dctx->key;
+ 	int status = 0;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa;
+ 	const BIGNUM *e = NULL;
+ #else
+ 	BIGNUM *e = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ 	EVP_PKEY *pkey = key->keydata.pkey;
+ 	int bits;
+@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
+ 		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ 		dctx->key->key_alg == DST_ALG_RSASHA512);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = EVP_PKEY_get1_RSA(pkey);
+ 	if (rsa == NULL) {
+ 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
+ 	}
+ 	bits = BN_num_bits(e);
+ 	BN_free(e);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (bits > maxbits && maxbits != 0) {
+ 		return (DST_R_VERIFYFAILURE);
+@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	int status;
+ 	EVP_PKEY *pkey1 = key1->keydata.pkey;
+ 	EVP_PKEY *pkey2 = key2->keydata.pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa1 = NULL;
+ 	RSA *rsa2 = NULL;
+ 	const BIGNUM *d1 = NULL, *d2 = NULL;
+@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	BIGNUM *d1 = NULL, *d2 = NULL;
+ 	BIGNUM *p1 = NULL, *p2 = NULL;
+ 	BIGNUM *q1 = NULL, *q2 = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (pkey1 == NULL && pkey2 == NULL) {
+ 		return (true);
+@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 		DST_RET(false);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa1 = EVP_PKEY_get1_RSA(pkey1);
+ 	rsa2 = EVP_PKEY_get1_RSA(pkey2);
+ 	if (rsa1 == NULL && rsa2 == NULL) {
+@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ #else
+ 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1);
+ 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (d1 != NULL || d2 != NULL) {
+ 		if (d1 == NULL || d2 == NULL) {
+ 			DST_RET(false);
+ 		}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 		RSA_get0_factors(rsa1, &p1, &q1);
+ 		RSA_get0_factors(rsa2, &p2, &q2);
+ #else
+@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 		EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1);
+ 		EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2);
+ 		EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 		if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 ||
+ 		    BN_cmp(q1, q2) != 0) {
+@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	ret = true;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (rsa1 != NULL) {
+ 		RSA_free(rsa1);
+ 	}
+@@ -332,12 +332,12 @@ err:
+ 	if (q2 != NULL) {
+ 		BN_clear_free(q2);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ static int
+ progress_cb(int p, int n, BN_GENCB *cb) {
+ 	union {
+@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
+ 	}
+ 	return (1);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ static isc_result_t
+ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+ 		void (*fptr)(int);
+ 	} u;
+ 	BIGNUM *e = BN_new();
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa = RSA_new();
+ 	EVP_PKEY *pkey = EVP_PKEY_new();
+ #if !HAVE_BN_GENCB_NEW
+@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+ #else
+ 	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ 	EVP_PKEY *pkey = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+ 	if (e == NULL || ctx == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	/*
+ 	 * Reject incorrect RSA key lengths.
+@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+ 		BN_set_bit(e, 32);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+ 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	key->keydata.pkey = pkey;
+ 	pkey = NULL;
+@@ -486,7 +486,7 @@ err:
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+@@ -497,7 +497,7 @@ err:
+ 	if (ctx != NULL) {
+ 		EVP_PKEY_CTX_free(ctx);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	if (e != NULL) {
+ 		BN_free(e);
+ 	}
+@@ -508,12 +508,12 @@ static bool
+ opensslrsa_isprivate(const dst_key_t *key) {
+ 	bool ret;
+ 	EVP_PKEY *pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa;
+ 	const BIGNUM *d = NULL;
+ #else
+ 	BIGNUM *d = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+ 		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
+ 		return (false);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = EVP_PKEY_get1_RSA(pkey);
+ 	INSIST(rsa != NULL);
+ 
+@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
+ 	if (d != NULL) {
+ 		BN_clear_free(d);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	unsigned int mod_bytes;
+ 	isc_result_t ret;
+ 	EVP_PKEY *pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa;
+ 	const BIGNUM *e = NULL, *n = NULL;
+ #else
+ 	BIGNUM *e = NULL, *n = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	REQUIRE(key->keydata.pkey != NULL);
+ 
+ 	pkey = key->keydata.pkey;
+ 	isc_buffer_availableregion(data, &r);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = EVP_PKEY_get1_RSA(pkey);
+ 	if (rsa == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	if (e == NULL || n == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	mod_bytes = BN_num_bytes(n);
+ 	e_bytes = BN_num_bytes(e);
+@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	ret = ISC_R_SUCCESS;
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+@@ -632,7 +632,7 @@ err:
+ 	if (n != NULL) {
+ 		BN_free(n);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	return (ret);
+ }
+ 
+@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	isc_region_t r;
+ 	unsigned int e_bytes;
+ 	unsigned int length;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa = NULL;
+ #else
+ 	OSSL_PARAM_BLD *bld = NULL;
+ 	OSSL_PARAM *params = NULL;
+ 	EVP_PKEY_CTX *ctx = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	EVP_PKEY *pkey = NULL;
+ 	BIGNUM *e = NULL, *n = NULL;
+ 
+@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	isc_buffer_forward(data, length);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = RSA_new();
+ 	if (rsa == NULL) {
+ 		DST_RET(dst__openssl_toresult2("RSA_new",
+@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 		DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	key->keydata.pkey = pkey;
+ 	pkey = NULL;
+@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 
+ err:
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+@@ -771,7 +771,7 @@ err:
+ 	if (bld != NULL) {
+ 		OSSL_PARAM_BLD_free(bld);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	if (n != NULL) {
+ 		BN_free(n);
+ 	}
+@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+ 	unsigned char *bufs[8] = { NULL };
+ 	unsigned short i = 0;
+ 	EVP_PKEY *pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa = NULL;
+ 	const BIGNUM *n = NULL, *e = NULL, *d = NULL;
+ 	const BIGNUM *p = NULL, *q = NULL;
+@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+ 	BIGNUM *n = NULL, *e = NULL, *d = NULL;
+ 	BIGNUM *p = NULL, *q = NULL;
+ 	BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (key->keydata.pkey == NULL) {
+ 		DST_RET(DST_R_NULLKEY);
+@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+ 	}
+ 
+ 	pkey = key->keydata.pkey;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = EVP_PKEY_get1_RSA(pkey);
+ 	if (rsa == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1);
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1);
+ 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (n == NULL || e == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -935,7 +935,7 @@ err:
+ 				    priv.elements[i].length);
+ 		}
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA_free(rsa);
+ #else
+ 	if (n != NULL) {
+@@ -962,12 +962,12 @@ err:
+ 	if (iqmp != NULL) {
+ 		BN_clear_free(iqmp);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	return (ret);
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ static isc_result_t
+ rsa_check(RSA *rsa, RSA *pub) {
+ 	const BIGNUM *n1 = NULL, *n2 = NULL;
+@@ -1079,14 +1079,14 @@ err:
+ 
+ 	return (ret);
+ }
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ static isc_result_t
+ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	dst_private_t priv;
+ 	isc_result_t ret;
+ 	int i;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa = NULL, *pubrsa = NULL;
+ 	const BIGNUM *ex = NULL;
+ #else
+@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	OSSL_PARAM *params = NULL;
+ 	EVP_PKEY_CTX *ctx = NULL;
+ 	BIGNUM *ex = NULL;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+ 	ENGINE *ep = NULL;
+ #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
+@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		DST_RET(ISC_R_SUCCESS);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (pub != NULL && pub->keydata.pkey != NULL) {
+ 		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	for (i = 0; i < priv.nelements; i++) {
+ 		switch (priv.elements[i].tag) {
+@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		}
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = RSA_new();
+ 	if (rsa == NULL) {
+ 		DST_RET(ISC_R_NOMEMORY);
+@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	    ISC_R_SUCCESS) {
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 
+ 	if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
+ 		DST_RET(ISC_R_RANGE);
+@@ -1375,7 +1375,7 @@ err:
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+@@ -1419,7 +1419,7 @@ err:
+ 	if (iqmp != NULL) {
+ 		BN_clear_free(iqmp);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+ 	if (ret != ISC_R_SUCCESS) {
+ 		key->keydata.generic = NULL;
+ 	}
+@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) {
+ 	int status;
+ 	isc_result_t ret = ISC_R_SUCCESS;
+ 	size_t len;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	RSA *rsa = NULL;
+ #else
+ 	OSSL_PARAM *params = NULL;
+@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) {
+ 		DST_RET(ISC_R_NOMEMORY);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	rsa = RSA_new();
+ 	if (rsa == NULL) {
+ 		DST_RET(dst__openssl_toresult2("RSA_new",
+@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) {
+ err:
+ 	BN_free(e);
+ 	BN_free(n);
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+-- 
+2.37.2
+
diff --git a/bind-9.18-pkcs11-engine-init.patch b/bind-9.18-pkcs11-engine-init.patch
new file mode 100644
index 0000000..5c0c6c4
--- /dev/null
+++ b/bind-9.18-pkcs11-engine-init.patch
@@ -0,0 +1,48 @@
+From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 7 Sep 2022 13:46:31 +0200
+Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls
+
+According to manual page of ENGINE_init, it should be called explicitly
+before any key operations happens. Make it active whole lifetime.
+---
+ lib/dns/openssl_link.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
+index 333f34cb37..a3f63885fa 100644
+--- a/lib/dns/openssl_link.c
++++ b/lib/dns/openssl_link.c
+@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
+ 			result = DST_R_NOENGINE;
+ 			goto cleanup_rm;
+ 		}
++		if (!ENGINE_init(e)) {
++			result = DST_R_NOENGINE;
++			goto cleanup_rm;
++		}
+ 		/* This will init the engine. */
+ 		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ 			result = DST_R_NOENGINE;
+-			goto cleanup_rm;
++			goto cleanup_init;
+ 		}
+ 	}
+ 
+ 	return (ISC_R_SUCCESS);
++cleanup_init:
++	ENGINE_finish(e);
+ cleanup_rm:
+ 	if (e != NULL) {
+ 		ENGINE_free(e);
+@@ -108,6 +114,7 @@ void
+ dst__openssl_destroy(void) {
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+ 	if (e != NULL) {
++		ENGINE_finish(e);
+ 		ENGINE_free(e);
+ 	}
+ 	e = NULL;
+-- 
+2.37.2
+
diff --git a/bind-9.18-pkcs11-engine-remove-deadcode.patch b/bind-9.18-pkcs11-engine-remove-deadcode.patch
new file mode 100644
index 0000000..7586395
--- /dev/null
+++ b/bind-9.18-pkcs11-engine-remove-deadcode.patch
@@ -0,0 +1,245 @@
+From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 8 Sep 2022 16:33:38 +0200
+Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
+
+OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
+builders. But it can be built in legacy mode, where deprecated but still
+working API would be used.
+
+It can work under OpenSSL 3.0, but only if using legacy code paths
+matching OpenSSL 1.1 calls and functions.
+
+Remove fromlabel processing by OpenSSL 3.0 only functions. They can
+return later with a proper provider support for pkcs11.
+---
+ lib/dns/opensslecdsa_link.c | 55 -------------------------------------
+ lib/dns/opensslrsa_link.c   | 32 ---------------------
+ 2 files changed, 87 deletions(-)
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 04f0d80b5e..f04f076e42 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+ 	isc_result_t ret = ISC_R_SUCCESS;
+ 	ENGINE *e;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	EC_KEY *eckey = NULL;
+ 	EC_KEY *pubeckey = NULL;
+ 	int group_nid;
+-#else
+-	size_t len;
+-	const char *curve_name, *nist_curve_name;
+-	char buf[128]; /* Sufficient for all of the supported curves' names. */
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 	EVP_PKEY *pkey = NULL;
+ 	EVP_PKEY *pubpkey = NULL;
+ 
+@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 		DST_RET(DST_R_NOENGINE);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (key->key_alg == DST_ALG_ECDSA256) {
+ 		group_nid = NID_X9_62_prime256v1;
+ 	} else {
+ 		group_nid = NID_secp384r1;
+ 	}
+-#else
+-	/* Get the expected curve names */
+-	if (key->key_alg == DST_ALG_ECDSA256) {
+-		curve_name = "prime256v1";
+-		nist_curve_name = "P-256";
+-	} else {
+-		curve_name = "secp384r1";
+-		nist_curve_name = "P-384";
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	/* Load private key. */
+ 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
+ 		DST_RET(DST_R_INVALIDPRIVATEKEY);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+ 	if (eckey == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
+ 		DST_RET(DST_R_INVALIDPRIVATEKEY);
+ 	}
+-#else
+-	len = 0;
+-	if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
+-					   buf, sizeof buf, &len) != 1 ||
+-	    len == 0 || len >= sizeof buf)
+-	{
+-		DST_RET(DST_R_INVALIDPRIVATEKEY);
+-	}
+-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
+-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
+-	{
+-		DST_RET(DST_R_INVALIDPRIVATEKEY);
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	/* Load public key. */
+ 	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
+@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
+ 		DST_RET(DST_R_INVALIDPUBLICKEY);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
+ 	if (pubeckey == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
+ 		DST_RET(DST_R_INVALIDPUBLICKEY);
+ 	}
+-#else
+-	len = 0;
+-	if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
+-					   buf, sizeof buf, &len) != 1 ||
+-	    len == 0 || len >= sizeof buf)
+-	{
+-		DST_RET(DST_R_INVALIDPUBLICKEY);
+-	}
+-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
+-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
+-	{
+-		DST_RET(DST_R_INVALIDPUBLICKEY);
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 	}
+-#else
+-	if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
+-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	key->label = isc_mem_strdup(key->mctx, label);
+ 	key->engine = isc_mem_strdup(key->mctx, engine);
+@@ -1442,14 +1389,12 @@ err:
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (pubeckey != NULL) {
+ 		EC_KEY_free(pubeckey);
+ 	}
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	return (ret);
+ #else
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index 867b486a2f..cf350610ba 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		key->engine = isc_mem_strdup(key->mctx, engine);
+ 		key->label = isc_mem_strdup(key->mctx, label);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 		rsa = EVP_PKEY_get1_RSA(pkey);
+ 		if (rsa == NULL) {
+ 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 		}
+ 		RSA_get0_key(rsa, NULL, &ex, NULL);
+-#else
+-		if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
+-		    ISC_R_SUCCESS) {
+-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-		}
+-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
+-		    1) {
+-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-		}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 		if (ex == NULL) {
+ 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	ENGINE *e = NULL;
+ 	isc_result_t ret = ISC_R_SUCCESS;
+ 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	RSA *rsa = NULL, *pubrsa = NULL;
+ 	const BIGNUM *ex = NULL;
+-#else
+-	BIGNUM *ex = NULL;
+-#endif
+ 
+ 	UNUSED(pin);
+ 
+@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 		DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	pubrsa = EVP_PKEY_get1_RSA(pubpkey);
+ 	if (pubrsa == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+ 	if (pkey == NULL) {
+@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	key->engine = isc_mem_strdup(key->mctx, engine);
+ 	key->label = isc_mem_strdup(key->mctx, label);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	rsa = EVP_PKEY_get1_RSA(pkey);
+ 	if (rsa == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 	}
+ 	RSA_get0_key(rsa, NULL, &ex, NULL);
+-#else
+-	if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
+-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-	}
+-	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
+-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	if (ex == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	pkey = NULL;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+ 	if (pubrsa != NULL) {
+ 		RSA_free(pubrsa);
+ 	}
+-#else
+-	if (ex != NULL) {
+-		BN_free(ex);
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-- 
+2.37.2
+
diff --git a/bind.spec b/bind.spec
index 860a524..1840c00 100644
--- a/bind.spec
+++ b/bind.spec
@@ -61,7 +61,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.18.6
-Release:  2%{?dist}
+Release:  3%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -97,6 +97,11 @@ Source49: named-chroot.files
 Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 Patch22: bind-9.11-fips-tests.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385
+# https://bugzilla.redhat.com/show_bug.cgi?id=2122841
+Patch23: bind-9.18-pkcs11-engine-init.patch
+Patch24: bind-9.18-pkcs11-engine-compat-api.patch
+Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -349,10 +354,11 @@ done
   cp -Tuav bin/tests "%{1}/bin/tests/" \
 
 CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
 %if %{with TSAN}
   CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
 %endif
-export CFLAGS
+export CFLAGS CPPFLAGS
 export STD_CDEFINES="$CPPFLAGS"
 
 
@@ -402,6 +408,7 @@ export LIBDIR_SUFFIX
 %endif
   --enable-fixed-rrset \
   --enable-full-report \
+  CPPFLAGS="$CPPFLAGS" \
 ;
 %if %{with DNSTAP}
   pushd lib
@@ -941,6 +948,9 @@ fi;
 %endif
 
 %changelog
+* Tue Sep 06 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-3
+- Return OpenSSL engine implementation for pkcs11 interface (#2122841)
+
 * Thu Sep 01 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-2
 - Always show error details for failed unittests (#2122010)