I don't run my DNS server on my laptop and I don't plug in my smartcard at the datacenter (yet). So to keep the KSK offline, I have my YubiKey plugged into my home router, I ssh into that, and then ssh to the DNS server with the key shared over an ssh channel.
p11-kit-server creates a unix socket which then serializes the communication to the smartcard. p11-kit-remote is more like the xinetd way of doing things. It isn't what I want for this, but can be used in the reverse -- such that the dns server starts the communication to …
BIND9 has native pkcs11 support which is usually available in separate packages. But that does not work for smartcard. Your HSM would need to support every crypto function. We want to use OpenSSL engine to do everything except the few things that the smartcard holds secret inside (signing things with a key that can't come out). So don't bother with the bind pkcs11 packages.