Current behavior
Debugging ACLs is hard.

Describe the desired feature
When a query is refused/denied and sufficiently verbose logging is enabled, the reason why the query is refused should be logged. e.g.

[12345:1] debug: refused query from ip4 1.2.3.4 port 12345 (len 16) because of 'access-control: 0.0.0.0/32 refuse_non_local'

Potential use-case
Configuring these things is hard enough. Adding better logging will aid in debugging.