diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 0eb2dca40f..71ded9ec06 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -173,9 +173,7 @@
 	  <para>
 	    When <acronym>BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
-	    optional OpenSSL engine name, followed by a colon, as in
-	    "pkcs11:<replaceable>keylabel</replaceable>".
+	    identifies a particular key.
 	  </para>
 	  <para>
 	    When <acronym>BIND</acronym> 9 is built with native PKCS#11
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 0bd7558e5d..009ee454de 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1024,58 +1024,52 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	isc_result_t ret;
 	EVP_PKEY *pkey = NULL;
 	RSA *rsa = NULL, *pubrsa = NULL;
-	char *colon, *tmpengine = NULL;
 	const BIGNUM *ex = NULL;
 
 	UNUSED(pin);
 
 	if (engine == NULL) {
-		if (strchr(label, ':') == NULL)
-			DST_RET(DST_R_NOENGINE);
-		tmpengine = isc_mem_strdup(key->mctx, label);
-		colon = strchr(tmpengine, ':');
-		INSIST(colon != NULL);
-		*colon = '\0';
+		DST_RET(DST_R_NOENGINE);
 	}
 	e = dst__openssl_getengine(engine);
-	if (e == NULL)
+	if (e == NULL) {
 		DST_RET(DST_R_NOENGINE);
+	}
 	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
 	if (pkey != NULL) {
 		pubrsa = EVP_PKEY_get1_RSA(pkey);
 		EVP_PKEY_free(pkey);
-		if (pubrsa == NULL)
+		if (pubrsa == NULL) {
 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		}
 	}
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-	if (pkey == NULL)
+	if (pkey == NULL) {
 		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
 					       ISC_R_NOTFOUND));
-	if (tmpengine != NULL) {
-		key->engine = tmpengine;
-		tmpengine = NULL;
-	} else {
-		key->engine = isc_mem_strdup(key->mctx, engine);
 	}
+	key->engine = isc_mem_strdup(key->mctx, engine);
 	key->label = isc_mem_strdup(key->mctx, label);
 	rsa = EVP_PKEY_get1_RSA(pkey);
-	if (rsa == NULL)
+	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+	}
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
 		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
 	RSA_get0_key(rsa, NULL, &ex, NULL);
-	if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
+	if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
 		DST_RET(ISC_R_RANGE);
-	if (pubrsa != NULL)
+	}
+	if (pubrsa != NULL) {
 		RSA_free(pubrsa);
+	}
 	key->key_size = EVP_PKEY_bits(pkey);
 	key->keydata.pkey = pkey;
 	RSA_free(rsa);
 	return (ISC_R_SUCCESS);
 
  err:
-	if (tmpengine != NULL)
-		isc_mem_free(key->mctx, tmpengine);
 	if (rsa != NULL)
 		RSA_free(rsa);
 	if (pubrsa != NULL)