dns_rdata_caa:value_len is currently defined as an isc_uint8_t value:

typedef struct dns_rdata_caa {
	dns_rdatacommon_t	common;
	isc_mem_t *		mctx;
	isc_uint8_t		flags;
	unsigned char *		tag;
	isc_uint8_t		tag_len;
	unsigned char		*value;
	isc_uint8_t		value_len;
} dns_rdata_caa_t;

but it can actually be much larger than 255 ('value' can be as long as
it fits the RDATA), and (just from code inspection, I've not tested it
with code) it could cause overflow in tostruct_caa():

	/*
	 * Value
	 */
	caa->value_len = sr.length;

Right now no BIND 9 code uses this structure other than in the caa_257
implementation, so BIND 9 apps won't be affected in practice.  But
it's still better fixed, of course.