new: usr: Add dnssec-policy keys configuration check to named-checkconf

A new option `-k` is added to `named-checkconf` that allows checking the `dnssec-policy` `keys` configuration against the configured key stores. If the found key files are not in sync with the given `dnssec-policy`, the check will fail.

This is useful to run before migrating to `dnssec-policy`.

Closes #5486

Merge branch '5486-named-checkconf-dnssec-policy-key-directory' into 'main'

See merge request isc-projects/bind9!10907