Proper DNSSEC support in FreeIPA requires PKCS#11 interface in BIND. BIND 9.10 introduced support for native PKCS#11 interface: http://ftp.isc.org/isc/bind9/cur/9.10/RELEASE-NOTES-BIND-9.10.0-P1.txt We can either rebase BIND or backport PKSCS#11 support from v9.10 to v9.9.
Testing packages (should be final) can be found here: http://copr-fe.cloud.fedoraproject.org/coprs/thozza/bind-9.9.4-native-pkcs11/ Changes are for the time being here: https://github.com/thozza/fedora20-bind-pkcs11-backport
Unfortunatelly this package doesn't contain dnssec-keyfromlabel utility so it is untestable.
Just for the record, the utility is available in bind-pkcs11-utils
I have tested the latest build and it works for me.
I'm still waiting for the SoftHSMv2 rebase. Without it the bind-pkcs11* sub-packages are useless!
Added in bind-9.9.6-2.fc22 and bind-9.9.6-2.fc21
bind-9.9.6-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/bind-9.9.6-2.fc21
Package bind-9.9.6-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing bind-9.9.6-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-12860/bind-9.9.6-2.fc21 then log in and leave karma (feedback).
bind-9.9.6-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.