Security and Certificates¶
Use the DNS Toolkit to assess certificate posture, DNS-level hardening, and web security configuration.
Common security endpoints¶
| Endpoint | Purpose |
|---|---|
GET /v1/certificate |
Inspect the live TLS certificate |
GET /v1/dnssec |
Validate DNSSEC presence and status |
GET /v1/security-headers |
Score HTTP security headers |
GET /v1/caa |
Check which certificate authorities are authorized |
GET /v1/tlsa |
Inspect DANE / TLSA records |
GET /v1/zone-transfer |
Test for open AXFR zone transfers |
Python SDK examples¶
Check a live certificate¶
from toolkitapi import DNS
with DNS(api_key="tk_...") as dns:
cert = dns.certificate("github.com")
print(cert)
Validate DNSSEC¶
from toolkitapi import DNS
with DNS(api_key="tk_...") as dns:
result = dns.dnssec("cloudflare.com")
print(result)
Security headers audit¶
from toolkitapi import DNS
with DNS(api_key="tk_...") as dns:
result = dns.security_headers("toolkitapi.io")
print(result)
Check CAA policy¶
from toolkitapi import DNS
with DNS(api_key="tk_...") as dns:
result = dns.caa("toolkitapi.io")
print(result)
Test for open zone transfer¶
from toolkitapi import DNS
with DNS(api_key="tk_...") as dns:
result = dns.zone_transfer("toolkitapi.io")
print(result)
What you get back¶
The certificate inspection response includes the issuer, serial number, validity window, days remaining, SANs, TLS protocol version, cipher, and key size.
For zone transfer testing, a 200 OK response means the check completed successfully — the important field is whether vulnerable is true or false in the result.
What you get back¶
The certificate inspection response includes the issuer, serial number, validity window, days remaining, SANs, TLS protocol version, cipher, and key size.
For zone transfer testing, a 200 OK response means the check completed successfully — the important field is whether vulnerable is true or false in the result.
Jump straight to live tools¶
- https://dns.toolkitapi.io/tools/certificate/
- https://dns.toolkitapi.io/tools/dnssec/
- https://dns.toolkitapi.io/tools/security-headers/
- https://dns.toolkitapi.io/tools/zone-transfer/
- https://dns.toolkitapi.io/tools/caa/
- https://dns.toolkitapi.io/tools/tlsa/
- https://dns.toolkitapi.io/tools/health/
Common workflows¶
- verify new domains before production cutover
- monitor certificate expiry and issuer changes
- check for missing DNSSEC or weak header posture
- confirm your CAA policy matches your certificate provider