diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h
index 439d9f999a..e716b3a7a3 100644
--- a/lib/dns/openssl_shim.h
+++ b/lib/dns/openssl_shim.h
@@ -72,8 +72,6 @@ DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
 
 int
 DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-
-#define DH_clear_flags(d, f) ((d)->flags &= ~(f))
 #endif /* !HAVE_DH_GET0_KEY */
 
 #if !HAVE_ERR_GET_ERROR_ALL
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index d5dbc2e889..e76cfbe310 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -444,16 +444,14 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 
 	if (generator != 0) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-		cb = BN_GENCB_new();
+		if (callback != NULL) {
+			cb = BN_GENCB_new();
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-		if (cb == NULL) {
-			DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
-		}
+			if (cb == NULL) {
+				DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
+			}
 #endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
 	* !defined(LIBRESSL_VERSION_NUMBER) */
-		if (callback == NULL) {
-			BN_GENCB_set_old(cb, NULL, NULL);
-		} else {
 			u.fptr = callback;
 			BN_GENCB_set(cb, progress_cb, u.dptr);
 		}
@@ -494,7 +492,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 		DST_RET(dst__openssl_toresult2("DH_generate_key",
 					       DST_R_OPENSSLFAILURE));
 	}
-	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
 	key->keydata.dh = dh;
 	dh = NULL;
 #else
@@ -787,7 +784,6 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (dh == NULL) {
 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
 	}
-	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
 #else
 	bld = OSSL_PARAM_BLD_new();
 	if (bld == NULL) {
@@ -1118,7 +1114,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (dh == NULL) {
 		DST_RET(ISC_R_NOMEMORY);
 	}
-	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
 #else
 	bld = OSSL_PARAM_BLD_new();
 	if (bld == NULL) {
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index be1998e381..26c1182805 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -384,14 +384,14 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #if !HAVE_BN_GENCB_NEW
 	BN_GENCB _cb;
 #endif /* !HAVE_BN_GENCB_NEW */
-	BN_GENCB *cb = BN_GENCB_new();
+	BN_GENCB *cb = NULL;
 #else
 	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
 	EVP_PKEY *pkey = NULL;
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-	if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) {
+	if (e == NULL || rsa == NULL || pkey == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
 #else
@@ -442,9 +442,14 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
 
-	if (callback == NULL) {
-		BN_GENCB_set_old(cb, NULL, NULL);
-	} else {
+	if (callback != NULL) {
+		cb = BN_GENCB_new();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+		if (cb == NULL) {
+			DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
+		}
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+	* !defined(LIBRESSL_VERSION_NUMBER) */
 		u.fptr = callback;
 		BN_GENCB_set(cb, progress_cb, u.dptr);
 	}