diff --git a/CHANGES b/CHANGES
index de72a2e856..9d93b66fdd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
+			[GL #2315]
+
 5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
 			UDP by falling back to TCP. [GL #2275]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 753b52895f..c58df5cafb 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -49,3 +49,6 @@ Bug Fixes
 
 - Tighten handling of missing DNS COOKIE responses over UDP by
   falling back to TCP. [GL #2275]
+
+- Building with native PKCS#11 support for AEP Keyper has been broken
+  since BIND 9.17.4. This has been fixed. [GL #2315]
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
index f9b5b5dc0c..6e78941622 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
@@ -336,6 +336,8 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 	for (attr = pk11_attribute_first(rsa); attr != NULL;
 	     attr = pk11_attribute_next(rsa, attr))
 	{
+		unsigned int bits;
+
 		switch (attr->type) {
 		case CKA_MODULUS:
 			INSIST(keyTemplate[5].type == attr->type);
@@ -352,7 +354,6 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 			memmove(keyTemplate[6].pValue, attr->pValue,
 				attr->ulValueLen);
 			keyTemplate[6].ulValueLen = attr->ulValueLen;
-			unsigned int bits;
 			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
 					   &bits);
 			if (ret != ISC_R_SUCCESS ||
@@ -952,6 +953,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 	for (attr = pk11_attribute_first(rsa); attr != NULL;
 	     attr = pk11_attribute_next(rsa, attr))
+	{
+		unsigned int bits;
+
 		switch (attr->type) {
 		case CKA_MODULUS:
 			INSIST(keyTemplate[5].type == attr->type);
@@ -962,7 +966,6 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 			keyTemplate[5].ulValueLen = attr->ulValueLen;
 			break;
 		case CKA_PUBLIC_EXPONENT:
-			unsigned int bits;
 			INSIST(keyTemplate[6].type == attr->type);
 			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
 							    attr->ulValueLen);
@@ -977,6 +980,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 			}
 			break;
 		}
+	}
 	pk11_ctx->object = CK_INVALID_HANDLE;
 	pk11_ctx->ontoken = false;
 	PK11_RET(pkcs_C_CreateObject,