KSKs are Key Signing Keys, which are a type of DNSKEY. KSKs are used only to sign the keys contained within a zone. Because they are used to sign less data their usable cryptographic life time can be longer before needing to create new ones. They can also be longer since the longer signatures produced through their use will only be attached to a single RRset within a zone (the DNSKEY RRset). ZSKs on the other hand need to be changed on a more frequent basis since they are used to sign more data. KSKs are expected to be the keys configured for use by validating resolvers as Trust Anchors.
Rollerd can be used to update keys on a regular schedule.