# File ../../auditor/lib/kasp_auditor/key_tracker.rb, line 256
    def run_checks(key_ttl)
      # We also need to perform the auditing checks against the config
      # Checks to be performed :
      #   b) Warn if number of prepublished ZSKs < ZSK:Standby
      # Do this by [alg, alg_length] - so only select those keys which match the config
      @config.keys.zsks.each {|zsk|
        prepublished_zsk_count = @cache.prepublished.keys.select {|k|
          k.zone_key? && !k.sep_key? && (k.algorithm == zsk.algorithm) &&
            (k.key_length == zsk.alg_length)
        }.length
        if (prepublished_zsk_count < zsk.standby)
          msg = "Not enough prepublished ZSKs! Should be #{zsk.standby} but have #{prepublished_zsk_count}"
          @parent.log(LOG_WARNING, msg)
        end
      }
      @cache.inuse.each {|key, time|
        timestamp = time[0]
        first_timestamp = time[1]
        # Ignore this check if the key was already in use at the time at which the lifetime policy was changed.
        # How do we know to which AnyKey group this key belongs? Can only take a guess by [algorithm, alg_length] tuple
        # Also going to have to put checks in place where key protocol/algorithm is checked against policy :-(
        #   - no we don't! These are only checked when we are loading a new key - not one we've seen before.
        #     and of course, a new key should be created with the correct values!
        key_group_policy_changed = false
        # First, find all the key groups which this key could belong to
        keys = @config.changed_config.zsks
        if (key.sep_key?)
          keys = @config.changed_config.ksks
        end
        possible_groups = keys.select{|k|             (k.algorithm == key.algorithm) &&
            (k.alg_length == key.key_length)}
        # Then, find the latest timestamp (other than 0)
        key_group_policy_changed_time = 0
        if (possible_groups.length == 0)
          # Can't find the group this key belongs to
          if (@config.changed_config.kasp_timestamp < first_timestamp)
            #    @TODO@ o if there has been no change in any of the configured keys then error (the key shouldn't exist)
            # Shouldn't this be caught by something else?
          end
          #   o if there has been a change since the key was first seen,  then don't raise any errors for this key
        else
          possible_groups.each {|g|
            if (g.timestamp > key_group_policy_changed_time)
              key_group_policy_changed_time = g.timestamp
              key_group_policy_changed = true
            end
          }
          next if (key_group_policy_changed && (first_timestamp < key_group_policy_changed_time))
        end

        if (key.zone_key? && !key.sep_key?)
          #   d) Warn if ZSK inuse longer than ZSK:Lifetime + Enforcer:Interval
          # Get the ZSK lifetime for this type of key from the config
          zsks = @config.keys.zsks.select{|zsk|
            (zsk.algorithm == key.algorithm) &&
              (zsk.alg_length == key.key_length)}
          next if (zsks.length == 0)
          # Take the "safest" value - i.e. the longest one in this case
          zsk_lifetime = 0
          zsks.each {|z|
            zsk_lifetime = z.lifetime if (z.lifetime > zsk_lifetime)
          }
          lifetime = zsk_lifetime + @enforcer_interval 
          if timestamp < (Time.now.to_i - lifetime)
            msg = "ZSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
            @parent.log(LOG_WARNING, msg)
          end
        else
          #   c) Warn if KSK inuse longer than KSK:Lifetime + Enforcer:Interval
          # Get the KSK lifetime for this type of key from the config
          ksks = @config.keys.ksks.select{|ksk| (ksk.algorithm == key.algorithm) &&
              (ksk.alg_length == key.key_length)}
          next if (ksks.length == 0)
          # Take the "safest" value - i.e. the longest one in this case
          ksk_lifetime = 0
          ksks.each {|k|
            ksk_lifetime = k.lifetime if (k.lifetime > ksk_lifetime)
          }
          lifetime = ksk_lifetime + @enforcer_interval 
          if timestamp < (Time.now.to_i - lifetime)
#            msg = "KSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
            msg = "KSK #{key.key_tag} reaching end of lifetime - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds, not including time taken for DS to be seen"
            @parent.log(LOG_WARNING, msg)
          end
        end
      }
      if (@config.audit_tag_present)
        check_inuse_keys_history(key_ttl)
      end
    end