# File ../../auditor/lib/kasp_auditor/partial_auditor.rb, line 793
    def do_basic_nsec3param_checks(line)
      rr = RR.create(line)
      # Should we have any NSEC3PARAMs in this zone?
      if (@config.denial.nsec)
        log(LOG_ERR, "NSEC3PARAM RRs included in NSEC-signed zone")
        return
      end
      # Check NSEC3PARAM flags
      if (rr.flags != 0)
        log(LOG_ERR, "NSEC3PARAM flags should be 0, but were #{rr.flags} for #{rr.name}")
      end
      # Check that we are at the apex of the zone here
      if (rr.name.to_s.downcase != @config.name.to_s.downcase)
        log(LOG_ERR, "NSEC3PARAM seen at #{rr.name} : should be at zone apex (#{@config.name}")
      end
      # Check that we have not seen an NSEC3PARAM before
      if (!@nsec3param)
        #  Store the NSEC3PARAM parameters for use with the rest of the zones' NSEC3 records
        # We know that no NSECs should have been seen by now, as this record is at the zone apex and NSEC(3) RRs appear at the bottom of the RRSets for the domain
        @nsec3param = rr
      else
        log(LOG_ERR, "Multiple NSEC3PARAM RRs for #{@config.name}")
      end
      #      end
      # Check that the NSEC3PARAMs are the same as those defined in the Config
      if (rr.salt != @config.denial.nsec3.hash.salt)
        log(LOG_ERR, "NSEC3PARAM has wrong salt : should be #{@config.denial.nsec3.hash.salt} but was #{(rr.salt)}")
      end
      if (rr.iterations != @config.denial.nsec3.hash.iterations)
        log(LOG_ERR, "NSEC3PARAM has wrong iterations : should be #{@config.denial.nsec3.hash.iterations} but was #{rr.iterations}")
      end
      if (rr.hash_alg != @config.denial.nsec3.hash.algorithm)
        log(LOG_ERR, "NSEC3PARAM has wrong algorithm : should be #{@config.denial.nsec3.hash.algorithm} but was #{rr.hash_alg.to_i}")
      end
    end