VERCEL: handle CAA whitespace edge case

Author: SukkaW

integrationTest/integration_test.go

@@ -1347,6 +1347,20 @@ func makeTests() []*TestGroup {
 			tc("simple", aghAAAAPassthrough("foo", "")),
 		),
 
+		// VERCEL features(?)
+
+		// Turns out that Vercel does support whitespace in the CAA record,
+		// but it only supports `cansignhttpexchanges` field, all other fields,
+		// `validationmethods`, `accounturi` are not supported
+		//
+		// In order to test the `CAA whitespace` capabilities and quirks, let's go!
+		testgroup("VERCEL CAA whitespace - cansignhttpexchanges",
+			only(
+				"VERCEL",
+			),
+			tc("CAA whitespace - cansignhttpexchanges", caa("@", 128, "issue", "digicert.com; cansignhttpexchanges=yes")),
+		),
+
 		//// IGNORE* features
 
 		// Narrative: You're basically done now. These remaining tests

providers/vercel/auditrecords.go

@@ -1,7 +1,8 @@
 package vercel
 
 import (
-	"errors"
+	"fmt"
+	"strings"
 
 	"github.com/StackExchange/dnscontrol/v4/models"
 	"github.com/StackExchange/dnscontrol/v4/pkg/rejectif"
@@ -30,23 +31,39 @@ func AuditRecords(records []*models.RecordConfig) []error {
 	// last verified 2025-11-22
 	// bad_request - invalid_value - The specified value is not a fully qualified domain name.
 	a.Add("CAA", rejectif.CaaHasEmptyTarget)
-	a.Add("CAA", rejectifCaaTargetIsSemicolon)
 
 	// last verified 2025-11-22
 	// Vercel misidentified extra fields in CAA record `0 issue letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234`
 	// as "cansignhttpexchanges", and add extra incorrect validation on the value
-	// let's ignore all whitespace for now, i should report this to Vercel though, as
-	// it uses NS1 as its provder and NS1 definitly allows it.
 	//
 	// invalid_value - Unexpected "cansignhttpexchanges" value.
-	a.Add("CAA", rejectif.CaaTargetContainsWhitespace)
+	a.Add("CAA", rejectifCaaTargetContainsUnsupportedFields)
 
 	return a.Audit(records)
 }
 
-func rejectifCaaTargetIsSemicolon(rc *models.RecordConfig) error {
-	if rc.GetTargetField() == ";" {
-		return errors.New("caa target cannot be ';'")
+func rejectifCaaTargetContainsUnsupportedFields(rc *models.RecordConfig) error {
+	target := rc.GetTargetField()
+	if !strings.Contains(target, ";") {
+		return nil
+	}
+
+	parts := strings.Split(target, ";")
+	// The first part is the domain, which we only check length for now
+	if len(parts[0]) < 1 {
+		return fmt.Errorf("caa target domain is empty")
+	}
+	for _, part := range parts[1:] {
+		part = strings.TrimSpace(part)
+		if part == "" {
+			continue
+		}
+		// Check if the part starts with "cansignhttpexchanges"
+		// It can be just "cansignhttpexchanges" or "cansignhttpexchanges=..."
+		if part == "cansignhttpexchanges" || strings.HasPrefix(part, "cansignhttpexchanges=") {
+			continue
+		}
+		return fmt.Errorf("caa target contains unsupported field: %s", part)
 	}
 	return nil
 }

providers/vercel/auditrecords_test.go

@@ -0,0 +1,61 @@
+package vercel
+
+import (
+	"testing"
+
+	"github.com/StackExchange/dnscontrol/v4/models"
+)
+
+func TestCaaTargetContainsUnsupportedFields(t *testing.T) {
+	tests := []struct {
+		name    string
+		target  string
+		wantErr bool
+	}{
+		{
+			name:    "simple domain",
+			target:  "letsencrypt.org",
+			wantErr: false,
+		},
+		{
+			name:    "with cansignhttpexchanges",
+			target:  "digicert.com; cansignhttpexchanges=yes",
+			wantErr: false,
+		},
+		{
+			name:    "with empty domain",
+			target:  ";",
+			wantErr: true,
+		},
+		{
+			name:    "with validationmethods",
+			target:  "letsencrypt.org; validationmethods=dns-01",
+			wantErr: true,
+		},
+		{
+			name:    "with accounturi",
+			target:  "letsencrypt.org; accounturi=https://example.com",
+			wantErr: true,
+		},
+		{
+			name:    "with multiple params including allowed",
+			target:  "letsencrypt.org; cansignhttpexchanges; validationmethods=dns-01",
+			wantErr: true,
+		},
+		{
+			name:    "with unknown param",
+			target:  "letsencrypt.org; foo=bar",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rc := &models.RecordConfig{}
+			rc.SetTarget(tt.target)
+			if err := rejectifCaaTargetContainsUnsupportedFields(rc); (err != nil) != tt.wantErr {
+				t.Errorf("caaTargetContainsUnsupportedFields() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}