diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c
index e10f9f4808..d3cbb4fab8 100644
--- a/lib/dns/opensslgost_link.c
+++ b/lib/dns/opensslgost_link.c
@@ -398,6 +398,11 @@ opensslgost_tofile(const dst_key_t *key, const char *directory) {
 	if (key->keydata.pkey == NULL)
 		return (DST_R_NULLKEY);
 
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
 	pkey = key->keydata.pkey;
 	eckey = EVP_PKEY_get0(pkey);
 	if (eckey == NULL)
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
index c0c4c4abcc..f277a5551d 100644
--- a/lib/dns/pkcs11dsa_link.c
+++ b/lib/dns/pkcs11dsa_link.c
@@ -928,6 +928,12 @@ pkcs11dsa_tofile(const dst_key_t *key, const char *directory) {
 	    (pub_key == NULL) || (priv_key ==NULL))
 		return (DST_R_NULLKEY);
 
+	if (key->external) {
+		priv.nelements = 0;
+		result = dst__privstruct_writefile(key, &priv, directory);
+		goto fail;
+	}
+
 	priv.elements[cnt].tag = TAG_DSA_PRIME;
 	priv.elements[cnt].length = (unsigned short) prime->ulValueLen;
 	memcpy(bufs[cnt], prime->pValue, prime->ulValueLen);
@@ -977,6 +983,9 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
+	if (key->external && priv.nelements != 0)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
 	dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
 	if (dsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c
index 61d69c62c8..572e47e6ec 100644
--- a/lib/dns/pkcs11ecdsa_link.c
+++ b/lib/dns/pkcs11ecdsa_link.c
@@ -755,6 +755,12 @@ pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
 	if (key->keydata.pkey == NULL)
 		return (DST_R_NULLKEY);
 
+	if (key->external) {
+		priv.nelements = 0;
+		result = dst__privstruct_writefile(key, &priv, directory);
+		goto fail;
+	}
+
 	ec = key->keydata.pkey;
 	attr = pk11_attribute_bytype(ec, CKA_VALUE);
 	if (attr != NULL) {
@@ -924,6 +930,9 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
+	if (key->external && priv.nelements != 0)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
 	for (i = 0; i < priv.nelements; i++) {
 		switch (priv.elements[i].tag) {
 		case TAG_ECDSA_ENGINE:
diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c
index d7d429d697..81585336ea 100644
--- a/lib/dns/pkcs11gost_link.c
+++ b/lib/dns/pkcs11gost_link.c
@@ -720,6 +720,12 @@ pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
 	if (key->keydata.pkey == NULL)
 		return (DST_R_NULLKEY);
 
+	if (key->external) {
+		priv.nelements = 0;
+		result = dst__privstruct_writefile(key, &priv, directory);
+		goto fail;
+	}
+
 	gost = key->keydata.pkey;
 	attr = pk11_attribute_bytype(gost, CKA_VALUE2);
 	if (attr != NULL) {
@@ -759,6 +765,9 @@ pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
+	if (key->external && priv.nelements != 0)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
 	if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
 		dst__privstruct_free(&priv, mctx);
 		memset(&priv, 0, sizeof(priv));