From d8152c4155ab5306f10ffbde7a7e0461ad98b656 Mon Sep 17 00:00:00 2001
From: Stephen Paul Weber <singpolyma@singpolyma.net>
Date: Tue, 6 Jan 2026 10:32:57 -0500
Subject: [PATCH] Never fall back to iterative DNS for DNSSEC

This can work around if your local resolver strips DNSSEC, but also it
means resolution is bonkers slow and might even take forever / fail if
DNS queries are blocked (because you're on TOR VPN or similar). So if
recursive DNSSEC fails, just fail DNSSEC and fall back to regular DNS lookups.
---
 src/main/java/eu/siacs/conversations/utils/Resolver.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/eu/siacs/conversations/utils/Resolver.java b/src/main/java/eu/siacs/conversations/utils/Resolver.java
index 7a19f7ed67f2ae080b3f0aaff835ace89c4724f0..ef2fddddb526dce6d9bb959d9d0aef68637d89e8 100644
--- a/src/main/java/eu/siacs/conversations/utils/Resolver.java
+++ b/src/main/java/eu/siacs/conversations/utils/Resolver.java
@@ -234,6 +234,8 @@ public class Resolver {
         final AbstractDnsClient dnssecclient = DnssecResolverApi.INSTANCE.getClient();
         if (dnssecclient instanceof ReliableDnsClient) {
             ((ReliableDnsClient) dnssecclient).setUseHardcodedDnsServers(false);
+            // If your DNS server sucks, just don't do DNSSEC
+            ((ReliableDnsClient) dnssecclient).setMode(ReliableDnsClient.Mode.recursiveOnly);
         }
     }