update-policy logic logging/debugging
Description
Currently debugging update-policy rules is opaque, only the decision is available.
It would be beneficial if it was possible to trace the individual steps taken, eg which rule was expanded to what (wildcard expansion, key names vs fqdn names) to which result.
Request
Logging at the right trace level could be something like below. Note I'm by far not an expert in the update policies, my example might way off.
grant wrong-key-name name example.com ANY;
=> identity key wrong-key-name not found, aborted
grant key-name name example.com NS;
=> update request does not match name example.com, aborted
grant key-name name example.com MX;
=> update request does not match type, aborted
grant updater-key.example.com name example.com ANY;
=> identity host updater-key.example.com not found, aborted [ a keyname that looks like a fqdn? ]
=> request denied```
Similarly key/kerberos failures could be logged too.
### Links / references
In #235 a similar request is made, this elaborates the scope and suggested solution.