VA: Add a method for performing MPIC compliant CAA checks

[beautifulentropy]

Add VA.CheckCAA, a new MPIC compliant gRPC method that will replace VA.PerformValidation for the initial check of CAA records and VA.IsCAAValid for the re-check of CAA records.

Convert some of the ad-hoc tests added in #7794 to table-driven tests.

Part of #7615
Part of #7614
Part of #7616

Do not merge before #7794.

---

Ballot Summary for Reviewers

You can read the full ballot contents here. I have pulled together a summary below:

3.2.2.9 Multi-Perspective Issuance Corroboration

... Furthermore, for any pair of DNS resolvers used on a Multi-Perspective Issuance Corroboration attempt, the straight-line distance between the two States, Provinces, or Countries the DNS resolvers reside in MUST be at least 500 km. The location of a DNS resolver is determined by the point where unencapsulated outbound DNS queries are typically first handed off to the network infrastructure providing Internet connectivity to that DNS resolver.

This PR does not attempt to satisfy the aforementioned distance requirement. This will need to be satisfied as part of the datacenter selection process for perspectives.

Table: Quorum Requirements

# of Distinct Remote Network Perspectives Used	# of Allowed non-Corroborations
2-5	1
6+	2

...

Phased Implementation Timeline

• Effective March 15, 2025, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MAY proceed with certificate issuance if the number of remote Network Perspectives that do not corroborate the determinations made by the Primary Network Perspective ("non-corroborations") is greater than allowed in the Quorum Requirements table.
• Effective September 15, 2025, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table.
• Effective March 15, 2026, the CA MUST implement Multi-Perspective Issuance Corroboration using at least three (3) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries.

These requirements are satisfied by this PR.

• Effective June 15, 2026, the CA MUST implement Multi-Perspective Issuance Corroboration using at least four (4) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries.
• Effective December 15, 2026, the CA MUST implement Multi-Perspective Issuance Corroboration using at least five (5) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries.

These requirements are not satisfied by this PR. The following code will need to be updated to reject validation requests when fewer than 4 (later 5) remote VAs are required.

const (
	// requiredPerspectives is the minimum number of perspectives required to
	// perform an MPIC-compliant validation.
	//
	// Timeline:
	//  - Mar 15, 2026: MUST implement using at least 3 perspectives
	//  - Jun 15, 2026: MUST implement using at least 4 perspectives
	//  - Dec 15, 2026: MUST implement using at least 5 perspectives
	requiredPerspectives = 3

5.4.1 Types of events recorded

7. Multi-Perspective Issuance Corroboration attempts from each Network Perspective, minimally recording the following information:
   - a. an identifier that uniquely identifies the Network Perspective used;
   - b. the attempted domain name and/or IP address; and
   - c. the result of the attempt (e.g., "domain validation pass/fail", "CAA permission/prohibition").>
8. Multi-Perspective Issuance Corroboration quorum results for each attempted domain name or IP address represented in a Certificate request (i.e., "3/4" which should be interpreted as "Three (3) out of four (4) attempted Network Perspectives corroborated the determinations made by the Primary Network Perspective).

These requirements are satisfied by this PR.

[beautifulentropy]

Converting to draft until #7794 lands.