# File ../../auditor/lib/kasp_auditor/partial_auditor.rb, line 630
      def check_domain(rrsets, types, delegation)
        # Given an array of resource records for a particular owner name,
        # check that :
        # Each domain has a corresponding NSEC record. [E]
        # Each NSEC record has bits correctly set to indicate the types of RRs associated with the domain. [E]
        # Each NSEC3 record has bits correctly set to indicate the types of RRs associated with the domain. [E]
        #
        # Then, for each RRSet :
        # There is an RRSIG record for each algorithm for which there is a DNSKEY RR (unless the domain is glue, an unsigned delegation or out of zone) [E]
        # The RRSIG record(s) validate the RRset(s) for the domain using one of the keys in the DNSKEY RRset. (Note: except for the zone apex, there should be no RRSIG for NS RRsets, glue records, unsigned delegations or out of zone data.) [E]

        processed_nsec = false
        return if rrsets.length == 0
        is_glue = false

        rrsets.each {|rrset|
          if ([Types::NSEC, Types::NSEC3].include?rrset.type)
            if (rrset.rrs.length > 1)
              # RAISE ERROR - MORE THAN ONE NSEC!
              @parent.log("Multiple NSEC(3) records seen for #{rrset.name}")
            end
            # Process NSEC
            check_nsec_types(rrset.rrs()[0], types)
            processed_nsec = true
          end
          # How do we know if this domain is glue?! We can't, without sorting the zone.
          # So, if there is no RRSIG, then we have to assume that it is glue - should we then ignore it?
          if (rrset.sigs.length > 0)
            check_signature(rrset, delegation)
          else
            is_glue = true
          end
        }
        if (!processed_nsec && @config.denial.nsec && !is_glue)
          # Couldn't find any NSEC record for the domain!!
          # But it might be glue...
          @parent.log(LOG_ERR, "No NSEC record for #{rrsets[0].name}")
        end
        # @TODO@ Check there is an NSEC3 record for the domain!
      end