Issue #65 - CAA tag-value validation

Codeberg issue: https://codeberg.org/DNS-OARC/validns/issues/65

Signed zone with a rich CAA RRset, used to prove that CAA wire-format encoding
is unchanged by the value-validation work. The signature is the canary: any
encoding regression breaks RRSIG verification immediately.

Zone signed with RSASHA256 so signatures validate on every platform (including
RHEL9 where SHA-1 is disabled by crypto policy). Signing window is 30 days
(2027-01-01 .. 2027-01-31 UTC) — modern operator practice; the fixture is
anchored by -t, so window length does not affect test stability, but the
shorter window mirrors what real signed zones look like.

Test-time used by src/t/test.pl: 1800057600 (2027-01-15 12:00 UTC,
mid-window). If regenerate.sh is changed to use a different window, update
the -t flag in test.pl accordingly.

To regenerate:

    cd src/t/issues/65-caa-validation
    ./regenerate.sh
