it just proxies whatever normal public dns you tell it to....
Presumably they seed the namecoin table with DNS records and use those instead when they exist? I don't know whether those can be expired efficiently.
As for on the current web making sure you're sending your password to the right person, no one is intercepting your credit card details, who you're talking to isn't being tracked by anyone but the site itself, etc... well okTurtles just leaves that up to the same certificate authorities they don't trust....
It seems like they would take the next logical step and verify namecoin-cached public key fingerprints of both the site and the certificate before initiating a traditional SSL connection (and/or better revocation support.)