Are there any protocols that DSCP will break? If you have a router that traffic passes through, and you want to classify different types of traffic using DSCP values, do you need to take special care to avoid setting DSCP values on certain types of traffic? My worry is that certain protocols that offer data integrity, like SSH or VPNs, would take a hash of the IP header, including the DSCP value, and if the DSCP value changes, the client would reject the packet. It appears that ESP and AH, as described here take care to avoid hashing the DSCP field. Are there other protocols that aren't as careful, that might break if you change the DSCP values on their packets? Or is changing DSCP willy-nilly generally considered safe?

No protocols will break due to a changed DSCP - how they are treated by upstream devices may change however (traffic may be more likely to be dropped, or aggressively shaped), so this will need to be taken into consideration if you don't have control/visibility end-to-end.

In your VPN example, traffic encapsulated in a tunnel header will have it's DSCP values preserved.

Changing the DSCP value of the tunnel traffic (eg: outer IP header) will have no effect on checksums (checksum will be against payload, not entire packet).

In fact the default behaviour of most IPSEC VPN devices I've worked with over the years is to copy the DSCP header from the tunnelled traffic to the outer tunnel header so that it can still be identified.