The goal is secure, autoconfigured name services: a home user should be able to plug in a new named device, and everything "just work", including publishing an IPv6 address into the global DNS without any configuration required.
Towards the stated goal, the router includes dnsmasq. Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS.
dnsmasq does not currently support DNSSEC (Domain Name System Security Extensions), a method for adding authentication and data security to the existing Domain Name System (DNS) while retaining backward compatibility with systems that do not support DNSSEC. This is actively in development by the dnsmasq team, and it will be incorporated into CeroWrt as soon as it is available.
A DNSSEC-enabled name server which provides authoritative data for a given domain responds to requests with the requested data and also a signature record which cryptographically authenticates the response.
A DNSSEC-enabled name server that provides local resolution of DNS requests validates the signatures received from authoritative servers to ensure that the data received was not tampered with. If the data in the response cannot be proven to be valid and secure, the name server will reject it and return a "server failed" message to the client.
The CeroWrt router is always available to its LAN interfaces as 'gw.home.lan'. This makes it easy to connect with the router without requiring you to know the IP address ranges used by the router.
By default, CeroWrt has a multicast DNS (aka "Zeroconfig" or "Bonjour" naming) reflector (the Avahi package) enabled for all the LAN interfaces. This allows you to locate devices without knowing their IP addresses.