diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 4dee158b31..08f061208c 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -66,24 +66,16 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
 	OSSL_PARAM *params = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
 	BIGNUM *priv = NULL;
-	size_t len = 0;
 	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
 
 	if (key_alg == DST_ALG_ECDSA256) {
 		groupname = "P-256";
-		len = private ? DNS_KEY_ECDSA256SIZE / 2 : DNS_KEY_ECDSA256SIZE;
 	} else if (key_alg == DST_ALG_ECDSA384) {
 		groupname = "P-384";
-		len = private ? DNS_KEY_ECDSA384SIZE / 2 : DNS_KEY_ECDSA384SIZE;
 	} else {
 		DST_RET(ISC_R_NOTIMPLEMENTED);
 	}
 
-	ret = (private ? DST_R_INVALIDPRIVATEKEY : DST_R_INVALIDPUBLICKEY);
-	if (*key_len < len) {
-		DST_RET(ret);
-	}
-
 	bld = OSSL_PARAM_BLD_new();
 	if (bld == NULL) {
 		DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_new",
@@ -98,7 +90,7 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
 	}
 
 	if (private) {
-		priv = BN_bin2bn(key, len, NULL);
+		priv = BN_bin2bn(key, *key_len, NULL);
 		if (priv == NULL) {
 			DST_RET(dst__openssl_toresult2("BN_bin2bn",
 						       DST_R_OPENSSLFAILURE));
@@ -111,11 +103,12 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
 						       DST_R_OPENSSLFAILURE));
 		}
 	} else {
+		INSIST(*key_len < sizeof(buf));
 		buf[0] = POINT_CONVERSION_UNCOMPRESSED;
-		memmove(buf + 1, key, len);
+		memmove(buf + 1, key, *key_len);
 
 		status = OSSL_PARAM_BLD_push_octet_string(
-			bld, OSSL_PKEY_PARAM_PUB_KEY, buf, 1 + len);
+			bld, OSSL_PKEY_PARAM_PUB_KEY, buf, 1 + *key_len);
 		if (status != 1) {
 			DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_"
 						       "octet_string",
@@ -146,7 +139,6 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
 					       DST_R_OPENSSLFAILURE));
 	}
 
-	*key_len = len;
 	ret = ISC_R_SUCCESS;
 
 err:
@@ -1184,8 +1176,6 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	EC_KEY *eckey = NULL;
 	EC_KEY *pubeckey = NULL;
-#else
-	size_t len;
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 	const char *engine = NULL;
 	const char *label = NULL;
@@ -1257,14 +1247,9 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 			key->keydata.pkey = NULL;
 		}
 
-		if (key->key_alg == DST_ALG_ECDSA256) {
-			len = DNS_KEY_ECDSA256SIZE / 2;
-		} else {
-			len = DNS_KEY_ECDSA384SIZE / 2;
-		}
-
 		ret = raw_key_to_ossl(key->key_alg, 1,
-				      priv.elements[privkey_index].data, &len,
+				      priv.elements[privkey_index].data,
+				      &priv.elements[privkey_index].length,
 				      &key->keydata.pkey);
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */