diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index b9027af369..c941693198 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -24,20 +24,6 @@
 #include <isc/log.h>
 #include <isc/result.h>
 
-#if !HAVE_BN_GENCB_NEW
-/*
- * These are new in OpenSSL 1.1.0.  BN_GENCB _cb needs to be declared in
- * the function like this before the BN_GENCB_new call:
- *
- * #if !HAVE_BN_GENCB_NEW
- *     	 _cb;
- * #endif
- */
-#define BN_GENCB_free(x)    ((void)0)
-#define BN_GENCB_new()	    (&_cb)
-#define BN_GENCB_get_arg(x) ((x)->arg)
-#endif /* !HAVE_BN_GENCB_NEW */
-
 ISC_LANG_BEGINDECLS
 
 isc_result_t
diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h
index ad07638c3e..120384952b 100644
--- a/lib/dns/openssl_shim.h
+++ b/lib/dns/openssl_shim.h
@@ -28,6 +28,27 @@
 #define RSA_MAX_PUBEXP_BITS 35
 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
 
+#if !HAVE_BN_GENCB_NEW
+/* These are new in OpenSSL 1.1.0. */
+static inline BN_GENCB *
+BN_GENCB_new(void) {
+	return (OPENSSL_malloc(sizeof(BN_GENCB)));
+}
+
+static inline void
+BN_GENCB_free(BN_GENCB *cb) {
+	if (cb == NULL) {
+		return;
+	}
+	OPENSSL_free(cb);
+}
+
+static inline void *
+BN_GENCB_get_arg(BN_GENCB *cb) {
+	return cb->arg;
+}
+#endif /* !HAVE_BN_GENCB_NEW */
+
 #if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L
 static inline const RSA *
 EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index e32a7d2a19..c4729b675f 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -365,9 +365,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh = NULL;
 	BN_GENCB *cb = NULL;
-#if !HAVE_BN_GENCB_NEW
-	BN_GENCB _cb;
-#endif /* !HAVE_BN_GENCB_NEW */
 #else
 	OSSL_PARAM_BLD *bld = NULL;
 	OSSL_PARAM *params = NULL;
@@ -452,12 +449,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 		if (callback != NULL) {
 			cb = BN_GENCB_new();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 			if (cb == NULL) {
 				DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
 			}
-#endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-	* !defined(LIBRESSL_VERSION_NUMBER) */
 			u.fptr = callback;
 			BN_GENCB_set(cb, progress_cb, u.dptr);
 		}
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 619ce345f4..8fc8a297c5 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -299,9 +299,6 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa = RSA_new();
 	EVP_PKEY *pkey = EVP_PKEY_new();
-#if !HAVE_BN_GENCB_NEW
-	BN_GENCB _cb;
-#endif /* !HAVE_BN_GENCB_NEW */
 	BN_GENCB *cb = NULL;
 #else
 	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
@@ -362,12 +359,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 
 	if (callback != NULL) {
 		cb = BN_GENCB_new();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 		if (cb == NULL) {
 			DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
 		}
-#endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-	* !defined(LIBRESSL_VERSION_NUMBER) */
 		u.fptr = callback;
 		BN_GENCB_set(cb, progress_cb, u.dptr);
 	}