it just proxies whatever normal public dns you tell it
to....
Presumably they seed the namecoin table with DNS records and use those
instead when they exist? I don't know whether those can be expired
efficiently.
As for on the current web making sure you're
sending
your password to the right person, no one is intercepting
your credit card details, who you're talking to isn't being
tracked by anyone but the site itself, etc... well okTurtles
just leaves that up to the same certificate authorities
they don't trust....
It seems like they would take the next logical step and verify
namecoin-cached public key fingerprints of both the site and the
certificate before initiating a traditional SSL connection (and/or
better revocation support.)