Thank you for the kind words (though more credit goes to my teammates @hillary and @perry who are in charge of the forums for the work they do every day, as a Support + Forums team we celebrate the wins together :)). In the end, we are glad to see you here, @akc3n , and are happy for the opportunity to not just give you tech support (don’t worry, our staff does get compensated for this time!) but also share answers that could help future explorers be able to self serve on the same topic.
One thing we are proud of here is that this isn’t stack overflow. I use stackoverflow every day, but I see those kind of toxic comments every day - “you asked wrong.” “your question displays your ignorance” (duh, I am asking the question to learn!) - and we strive to be the opposite so I hope we never make you feel bad about how you ask or what you ask. But we do appreciate our diligence in asking the best questions possible, which it is clear you have done since you set context so well and were thorough in your ask. Kudos!
That said, we’re not in control of what the tests at internet.nl test, and in particular I don’t personally understand content-security-policy HTTP response headers enough to understand if the ding I see on netlify.com when I test it, is:
- a problem
- or would apply to your sites
We’ll leave this thread open to find someone else who can better speak to the CSP question, but you asked about DNS, and that I can speak authoritatively to!
Unfortunately your statements are correct (rare to say that but I am sad to agree with you):
- our DNS hosting does not support DNSSEC
- not using our DNS hosting makes it very hard to have ipv6 on your bare domain, since we don’t provide an ipv6 load balancer
GitHub doesn’t really factor into the score there 
I guess the best “mix” you can get of our features vs their grading would be:
- host your DNS elsewhere (e.g. namecheap)
- use a CNAME for www.akc3n.org to point to sitename.netlify.app - that will provide ipv6 answers when available, which is the case in most but not all of our datacenters. But, this won’t help for the bare domain akc3n.org
- change your primary custom domain to www.akc3n.org instead of akc3n.org, as this will allow you to actually use our CDN with external DNS hosting.
That will let you use DNSSEC (with a presumably-DNSSEC capable DNS host), and give you IPv6 on the domain your visitors end up on (www, rather than bare domain).
Nothing you can do, on Netlify, will guarantee a score of 100 today or in the future on that tool. However, most of these tools providing scores are advisory and sometimes the tools disagree with “how we do things”, so we aren’t trying to get 100% in how we build our product (for instance, that tool claims that our server supporting compression - which vastly speeds up your site load - could be a security problem. We 100% disagree with that assessment, and they’d have a very hard time convincing us otherwise. Perhaps that is the case on some server somewhere, but we are pretty confident, not ours.) It’s a good thing to get the best score you can, but it is rarely (in my 5 years of being asked questions about performance metrics at this company + a 27 year career of thinking about the same topic) the case that being under 100% is a major problem.
Also - apologies but I didn’t understand what you meant by:
And my site should look like this https://listed-hugo.netlify.app/
But instead it look like this https://akc3n.netlify.app
What exactly looks wrong to you?