# File ../../auditor/lib/kasp_auditor/auditor.rb, line 318
    def check_signature(rrset, is_glue, delegation)
      return if is_glue
      if (delegation && ([Types::AAAA, Types::A].include?rrset.type) && (rrset.name != @soa.name))
        # glue - don't verify
        # Make sure that rrset is NOT signed
        if rrset.sigs.length > 0
          log(LOG_ERR, "Glue should not be signed : #{rrset.name}, #{rrset.type}")
        end
        return
      end
      if (out_of_zone(rrset.name))
        # Check that RRSet is NOT signed
        if rrset.sigs.length > 0
          log(LOG_ERR, "Out of zone data should not be signed : #{rrset.name}, #{rrset.type}")
        end
        return
      end
      if ((rrset.type == Types::NS) && (rrset.name != @soa.name))
        # Make sure delegation is NOT signed
        if rrset.sigs.length > 0
          log(LOG_ERR, "Delegation should not be signed : #{rrset.name}, #{rrset.type}")
        end
        return
      end
      rrset_sig_types = []
      rrset.sigs.each {|sig| rrset_sig_types.push(sig.algorithm)}
      @algs.each {|alg|
        if !(rrset_sig_types.include?alg)
          if ((rrset.type == Types::NS) && (rrset.name != @soa.name)) # NS RRSet NOT at zone apex is OK
          else
            s = ""
            rrset_sig_types.each {|t| s = s + " #{t} "}
            log(LOG_ERR, "RRSIGS should include algorithm #{alg} for #{rrset.name}, #{rrset.type}, have :#{s}")
          end
        end
      }
      #  b) RRSIGs validate for at least one key in DNSKEY RRSet  (Note: except for the zone apex, there should be no RRSIG for NS RRsets.)
      #          print "Verifying RRSIG for #{rrset}\n"
      # @TODO@ Create an RRSET with *only* the RRSIG we are interested in - check that they all verify ok?
      # Check if this is an NS RRSet other than the zone apex - if so, then skip the verify test
      if ((rrset.type == Types::NS) && ((rrset.name != @soa.name)))
        # Skip the verify test
      elsif (@unknown_nsecs[rrset.name.to_s+"."])
        log(LOG_INFO,"Skipping verification test for #{rrset.name}, #{rrset.type} : Original type is not supported")
        # Skip the verify test
      else
        begin
          #          print "About to verify #{rrset.name} #{rrset.type}, #{rrset.rrs.length} RRs, #{rrset.sigs.length} RRSIGs, #{@keys.length} keys\n"
          Dnssec.verify_rrset(rrset, @keys)
          #          print "Verified OK!!\n"
        rescue VerifyError => e
          log(LOG_ERR, "RRSet (#{rrset.name}, #{rrset.type}) failed verification : #{e}, tag = #{rrset.sigs()[0] ? rrset.sigs()[0].key_tag : 'none'}")
        end
        # Add the key_tags to the list of tags which have actually been used in this zone
        # This is used for tracking key lifecycles through time (with the KeyTracker)
        rrset.sigs.each {|sig|
          if (!@keys_used.include?sig.key_tag)
            @keys_used.push(sig.key_tag)
          end
        }
      end

      check_policy_changes

      #  c) inception date in past by at least interval specified by config
      rrset.sigs.each {|sig|
        # See if any of the configuration has changed for signature lifetimes
        if (@policy_has_changed)
          if (!@inception_offset_has_changed)
            #  If not inception_offset which changed, then simply ignore RRSIGs which were
            #   created earlier than the policy change timestamp (including inception_offset here!)
            if (sig.inception < (@policy_change_timestamp - @config.signatures.inception_offset))
              log(LOG_WARNING, "Skipping signature lifetime check for #{sig.name}, #{sig.type_covered} : policy has changed since #{sig.inception} (at #{@policy_change_timestamp})\n")
              next
            end
          else
            #   If InceptionOffset has changed, then all bets are probably off. In this case,
            #      ignore all signature which were created less than a day before the policy changed.
            if (sig.inception < (@policy_change_timestamp - (3600 * 24)))
              log(LOG_WARNING, "Skipping signature lifetime check for #{sig.name}, #{sig.type_covered} : policy has changed since #{sig.inception} (at #{@policy_change_timestamp})\n")
              next
            end
          end
        end
        time_now = Time.now.to_i
        if (sig.inception > (time_now + @config.signatures.inception_offset))
          log(LOG_ERR, "Inception error for #{sig.name}, #{sig.type_covered} : Signature inception is #{sig.inception}, time now is #{time_now}, inception offset is #{@config.signatures.inception_offset}, difference = #{time_now - sig.inception}")
        else
          #                      print "OK : Signature inception is #{sig.inception}, time now is #{time_now}, inception offset is #{@config.signatures.inception_offset}, difference = #{time_now - sig.inception}\n"
        end

        #  d) expiration date in future by at least interval specified by config
        refresh = @config.signatures.refresh
        resign = @config.signatures.resign
        # We want to check that there is at least the refresh period left before
        # the signature expires.
        # @TODO@ Probably want to have a WARN level and an ERROR level
        # Expired signatures are caught by the verify_rrset() call above
        if ((time_now <= sig.expiration) && time_now > (sig.expiration - refresh + resign))
          log(LOG_ERR, "Signature expiration (#{sig.expiration}) for #{sig.name}, #{sig.type_covered} should be later than (the refresh period (#{refresh}) - the resign period (#{resign})) from now (#{time_now})")
        else
          #            print "OK : Signature expiration is #{sig.expiration}, time now is #{time_now}, signature validity is #{validity}, difference = #{sig.expiration - time_now}\n"
        end

        # Check signature lifetime :
        # inceptionoffset + validity - jitter ≤ (exception - inception) ≤ inceptionoffset + validity +jitter
        validity = @config.signatures.validity.default
        if ([Types::NSEC, Types::NSEC3].include?sig.type_covered)
          validity = @config.signatures.validity.denial
        end

        # Check signature lifetime
        min_lifetime = @config.signatures.inception_offset + validity - @config.signatures.jitter
        max_lifetime = @config.signatures.inception_offset + validity + @config.signatures.jitter
        actual_lifetime = sig.expiration - sig.inception
        if (min_lifetime > actual_lifetime)
          log(LOG_ERR, "Signature lifetime for #{sig.name}, #{sig.type_covered} too short - should be at least #{min_lifetime} but was #{actual_lifetime}")
        end
        if (max_lifetime < actual_lifetime)
          log(LOG_ERR, "Signature lifetime for #{sig.name}, #{sig.type_covered} too long - should be at most #{max_lifetime} but was #{actual_lifetime}")
        end

      }


    end