The stub resolver on your own computer doesn't actually speak DNSSEC. It speaks normal DNS to a recursing resolver, probably at your ISP or at Google, that itself does DNSSEC validation, and then just sets a bit in the response back to you that says "this is authentic".

Glibc supposedly has DNSSEC, but does anyone use it:

https://sourceware.org/glibc/wiki/DNSSEC

That page appears to be mostly about how to trust a real recursive cache from a glibc program.

I'd hate to be pointed to that page and tasked with designing and implementing a test plan.

The recursing resolver is on my local system, anything else is clearly madness.

Always fascinating to hear about how the standard configuration for every workstation Linux distro, macOS, and Windows 10 are "clearly madness". Do go on!