# File ../../auditor/lib/kasp_auditor/partial_auditor.rb, line 672
      def check_signature(rrset, delegation)
        if (delegation && ([Types::AAAA, Types::A].include?rrset.type))
          # glue - don't verify
          return
        end
        rrset_sig_types = []
        rrset.sigs.each {|sig| rrset_sig_types.push(sig.algorithm)}
        @algs.each {|alg|
          if !(rrset_sig_types.include?alg)
            if ((rrset.type == Types::NS) && (rrset.name != @soa.name)) # NS RRSet NOT at zone apex is OK
            else
              s = rrset_sig_types.join" "
              @parent.log(LOG_ERR, "RRSIGS should include algorithm #{alg} for #{rrset.name}, #{rrset.type}, have :#{s}")
            end
          end
        }
        #  b) RRSIGs validate for at least one key in DNSKEY RRSet  (Note: except for the zone apex, there should be no RRSIG for NS RRsets.)
        #          print "Verifying RRSIG for #{rrset}\n"
        # @TODO@ Create an RRSET with *only* the RRSIG we are interested in - check that they all verify ok?
        # Check if this is an NS RRSet other than the zone apex - if so, then skip the verify test
        if ((rrset.type == Types::NS) && ((rrset.name != @soa.name)))
          # Skip the verify test
        else
          begin
            #          print "About to verify #{rrset.name} #{rrset.type}, #{rrset.rrs.length} RRs, #{rrset.sigs.length} RRSIGs, #{@keys.length} keys\n"
            Dnssec.verify_rrset(rrset, @parent.keys)
          rescue VerifyError => e
            @parent.log(LOG_ERR, "RRSet (#{rrset.name}, #{rrset.type}) failed verification : #{e}, tag = #{rrset.sigs()[0] ? rrset.sigs()[0].key_tag : 'none'}")
          end
        end
      end