DNSSEC doesn’t encrypt the response, instead it adds a digital signature to the response. The private key is used to generate a digital signature known as an Resource Record Set Signature (RRSIG), for a set of Resource Record (RRSETS). The RRSIG is then delivered to the enquiring party along with the original unencrypted version of the same data. The enquiring party decrypts the RRSIG by using the sender's validated public key and compares the result to the original unencrypted data. If the two data sets match, the data is authenticated as truly originating from that organization. The signature check also effectively ensures that the data is unmodified from the original version that was signed. In this way, digital signatures use public key cryptography to prove that information is not spoofed and unchanged.
Where does the enquirer get the public key?
This is also stored publicly within the zone file as a DNSKEY record, the enquirer can query for this record as well to verify the RRSIG.
Wait, that doesn't sound secure! An attacker could sign a fake record with their own private key and send the RRSIG response to the enquirer along with their own public (DNSKEY). Shouldn't the public key require validation as well?
Yes. This is done by establishing a chain of trust. See the section on chain of trust for further explanation.