Yes; if someone hijacks example.com's main A record, that gets caught at the SSL level.

If someone hijacks example.com's cookie record, that won't be caught; they just write themselves permission to have their page access example.com's cookies.

The same info could just be hosted by example.com (at some /.well-known path or whatever). The web could generate a lot of hits against that.

The DNS records could be (optionally?) signed. You'd need the SSL key of the domain to check the signature.

When you say bypass, do you mean disable DNSSEC on your own computer? Or are there known vulnerabilities in DNSSEC cryptography or software?

The stub resolver on your own computer doesn't actually speak DNSSEC. It speaks normal DNS to a recursing resolver, probably at your ISP or at Google, that itself does DNSSEC validation, and then just sets a bit in the response back to you that says "this is authentic".

Glibc supposedly has DNSSEC, but does anyone use it:

https://sourceware.org/glibc/wiki/DNSSEC

That page appears to be mostly about how to trust a real recursive cache from a glibc program.

I'd hate to be pointed to that page and tasked with designing and implementing a test plan.

The recursing resolver is on my local system, anything else is clearly madness.

Always fascinating to hear about how the standard configuration for every workstation Linux distro, macOS, and Windows 10 are "clearly madness". Do go on!

DNSSEC isn't encrypted either.