# File ../../auditor/lib/kasp_auditor/auditor.rb, line 718
    def load_signed_subdomain(file, last_rr, unsigned_domain_rrs = nil)
      # Load next subdomain of the zone (specified in the last_rr.name)
      # Keep going until zone subdomain changes.
      # If we are loading the signed zone, then we also check the records against the unsigned, and build up useful data for the auditing code
      return if !last_rr
      subdomain = get_subdomain_to_load(last_rr)
      #      print "Loading signed subdomain : #{subdomain}\n"
      seen_dnskey_sep_set = false
      seen_dnskey_sep_clear = false
      l_rr = last_rr
      old_rr = last_rr
      types_covered = [l_rr.type]
      current_domain = l_rr.name
      seen_nsec_for_domain = false
      current_rrset = RRSet.new
      is_glue = false
      delegation = false
      while (l_rr && test_subdomain(l_rr, subdomain))
        #                print "Loaded signed RR : #{l_rr}\n"

        # Remember to reset types_covered when the domain changes
        if (l_rr.name != current_domain)
          if (@config.denial.nsec3)
            # Build up a list of hashed domains and the types seen there,
            # iff we're using NSEC3
            write_types_to_file(current_domain, types_covered, last_rr.name, is_glue)
          end
          delegation = false
          if !(test_subdomain(current_domain, subdomain))
            is_glue = false
          else
            is_glue = true
          end
          seen_nsec_for_domain = false
          types_covered = []
          types_covered.push(l_rr.type)
          current_domain = l_rr.name
          last_rr = old_rr
          if last_rr.type == Types::NS
            delegation = true
          end
        else
          if l_rr.type == Types::NS
            delegation = true
          end
        end
        if !([Types::A, Types::AAAA, Types::RRSIG].include?l_rr.type)
          is_glue = false
        end

        # Keep track of the RRSet we're currently loading - as soon as all the RRs have been loaded, then check the RRSIG
        # So, keep track of the last RR type (or type_covered, if RRSIG)
        # When that changes, check the signature for the RRSet
        if (current_rrset.add(l_rr, false))
          if (l_rr.type == Types::RRSIG)
            if !(types_covered.include?Types::RRSIG)
              types_covered.push(Types.RRSIG)
            end
          else
            if (!types_covered.include?l_rr.type)
              types_covered.push(l_rr.type)
            end
          end
        else
          # We have a complete RRSet.
          # Now check the signatures!
          check_signature(current_rrset, is_glue, delegation)
          current_rrset = RRSet.new
          current_rrset.add(l_rr, false)
          types_covered.push(l_rr.type)
        end

        if (l_rr.type == Types::DNSKEY) # Check the DNSKEYs
          if (l_rr.sep_key?)
            seen_dnskey_sep_set = true
          else
            seen_dnskey_sep_clear = true
          end
          @keys.push(l_rr)
          @keys_to_check.push(l_rr.clone)
          @algs.push(l_rr.algorithm) if !@algs.include?l_rr.algorithm

        elsif (l_rr.type == Types::NSEC)
          if (!@first_nsec)
            @first_nsec = l_rr
          end
          seen_nsec_for_domain = true
          check_nsec(l_rr, types_covered)

        elsif (l_rr.type == Types::NSEC3PARAM)
          check_nsec3param(l_rr, subdomain)

        elsif (l_rr.type == Types::NSEC3)
          if (!@first_nsec)
            @first_nsec = l_rr
          end
          check_nsec3(l_rr)

        end
        # Check if the record exists in both zones - if not, print an error
        if (unsigned_domain_rrs  &&  !(unsigned_domain_rrs.delete(l_rr))) # delete the record from the unsigned
          # ADDITIONAL SIGNED RECORD!! Check if we should error on it
          process_additional_signed_rr(l_rr)
          if (l_rr.type == Types::SOA)
            unsigned_domain_rrs.each {|u_rr|
              unsigned_domain_rrs.delete(u_rr) if u_rr.type == Types::SOA
            }
          end
        end
        old_rr = l_rr
        l_rr = get_next_rr(file)
      end
      if (@config.denial.nsec3)
        # Build up a list of hashed domains and the types seen there,
        # iff we're using NSEC3
        write_types_to_file(current_domain, types_covered, last_rr.name, is_glue)
      end
      # Remember to check the signatures of the final RRSet!
      check_signature(current_rrset, is_glue, delegation)
      if (@config.denial.nsec)
        if (!is_glue)
          if (!seen_nsec_for_domain)
            if (@unknown_nsecs[current_rrset.name.to_s+"."])
            else
              log(LOG_ERR, "No #{nsec_string()} record for #{current_domain}")
            end
          end
        else
          if (current_rrset.length == 0)
            if (seen_nsec_for_domain)
              log(LOG_ERR, "#{nsec_string()} record seen for #{current_domain}, which is glue")
            end
          end
        end
      end

      # Check that there are no records left in unsigned - if there are, then print an error
      if (unsigned_domain_rrs && unsigned_domain_rrs.length > 0)
        unsigned_domain_rrs.each { |unsigned_rr|
          # Check if out of zone - if not, then print an error
          process_additional_unsigned_rr(unsigned_rr)
        }
      end
      if (!subdomain || subdomain == "")
        check_dnskeys_at_zone_apex(seen_dnskey_sep_set, seen_dnskey_sep_clear)
      end
      return l_rr
    end