DNS Certification Authority Authorization (CAA) Policy / DNSSEC for whonix.org / ssllabs.com test results / OCSP ERROR: Exception: connect timed out [http://r3.o.lencr.org] / Must-Staple

We also have the Expect-CT header, and more importantly, we are now running certspotter to monitor the public Certificate Transparency Logs for any unexpected issuing of whonix.org SSL certificates that were not made by us.