The goal is secure, autoconfigured name services: a home user should be able to plug in a new named device, and everything "just work", including publishing an IPv6 address into the global DNS without any configuration required.
Towards the stated goal, the router includes Bind 9 running in a chrooted jail for additional security. This enables the router to support advanced name services, including zone transfers, split views, and DNSSEC. For more details, see the release notes as not all of this intended functionality is complete.
A DNSSEC-enabled name server which provides authoritative data for a given domain responds to requests with the requested data and also a signature record which cryptographically authenticates the response.
A DNSSEC-enabled name server that provides local resolution of DNS requests validates the signatures received from authoritative servers to ensure that the data received was not tampered with. If the data in the response cannot be proven to be valid and secure, the name server will reject it and return a "server failed" message to the client.