kinit -p administrator
samba-tool domain join samdom.example.dom DC -k yes --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes' --option="password hash userPassword schemes = CryptSHA256"
succeeds and generates entries in binddir/dns/. However, dns.keytab file is placed into private/ directory instead of binddir/, which is where it belongs.
Additionally, dns.keytab is owned by root.root and has 0700 permissions. It probably should be owned by named. Most Bind9 installations run the daemon as named.
To be more specific, in my case:
private = /var/lib/samba/private
binddir = /var/lib/samba/bind-dns