How can I make nginx only look for ipv4 resolution for OCSP? Or have I misinterpreted the point of failure?

Question

I've set OCSP up, but see lots of resolver timed out errors in my logs:

ocsp.sectigo.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.sectigo.com

Looking into it it seems I can curl ocsp.sectigo.com quickly and consistently, but curl -6 ocsp.sectigo.com fails. Indeed, it seems there's no AAAA record on ocsp.sectigo.com.

I don't know if nginx would even be trying to resolve ipv6 (I know nothing about ipv6) but I'm guessing that MIGHT be the problem here?

I've tried removing my resolver/resolver_timeout declarations and replacing them with ssl_stapling_responder http://213.133.98.98/;, but then I get these errors:

OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: 213.133.98.98, peer: 213.133.98.98:80

(and indeed if I try to curl the IP address that does timeout for me as well)

This is my relevant nginx conf:

ssl_stapling                on;
ssl_stapling_verify         on;
ssl_trusted_certificate     /etc/nginx/ssl/mydomain.crt;

resolver                    8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout            1s;

I had the timeout set to 10s but given the errors I'm getting I'm worried that some of my end users are sat there with a 10s pause waiting for the site to load before the OCSP gives up. I'd like to think the OCSP check is asynchronous after the page has loaded, but I've no idea!

nginx version:

nginx version: nginx/1.19.4
built by gcc 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)
built with OpenSSL 1.1.1c FIPS  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat
--with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module
--with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module
--with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module
--with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module
--with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Anything I can do better? Should I just abandon OCSP?