diff --git a/CHANGES b/CHANGES
index 18fe978440..768981baed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4601.	[bug]		Reject incorrect RSA key lengths during key
+			generation and and sign/verify context
+			creation. [RT #45043]
+
 4599.	[bug]		Fix inconsistencies in inline signing time
 			comparison that were introduced with the
 			introduction of rdatasetheader->resign_lsb.
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 58a1234454..78473fda67 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -260,6 +260,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		dctx->key->key_alg == DST_ALG_RSASHA256 ||
 		dctx->key->key_alg == DST_ALG_RSASHA512);
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 #if USE_EVP
 	evp_md_ctx = EVP_MD_CTX_create();
 	if (evp_md_ctx == NULL)
@@ -913,6 +940,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	EVP_PKEY *pkey = EVP_PKEY_new();
 #endif
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096)
+			goto err;
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) ||
+		    (key->key_size > 4096))
+			goto err;
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) ||
+		    (key->key_size > 4096))
+			goto err;
+		break;
+	default:
+		INSIST(0);
+	}
+
 	if (rsa == NULL || e == NULL || cb == NULL)
 		goto err;
 #if USE_EVP