Instead of asking "what IP is Google.com?" to your configured DNS server, you traverse the whole chain. First, you refer to your list of root zones: which servers can answer about .com? Ok, ask them which DNS servers google.com should have. Next, send the request directly to those servers. Now you get a response that you can use.
This chain can get really long depending on the service's DNS configuration. And this whole time every request has to come back DNSSEC signed.
This chain can get really long depending on the service's DNS configuration. And this whole time every request has to come back DNSSEC signed.
Note that I'm ignoring any caching....