If the upstream registry supports RFC 7344 key rollovers you can use several pdnsutil commands to do this rollover. This HowTo follows the rollover example from the RFCs Appendix B.
We assume the zone name is example.com and is already DNSSEC signed.
Start by adding a new KSK to the zone:
pdnsutil add-zone-key example.com ksk 2048 inactive. The “inactive”
means that the key is not used to sign any ZSK records. This limits the
size of ANY and DNSKEY responses.
Publish the CDS records: pdnsutil set-publish-cds example.com, these
records will tell the parent zone to update its DS records. Now wait for
the DS records to be updated in the parent zone.
Once the DS records are updated, do the actual key-rollover:
pdnsutil activate-zone-key example.com new-key-id and
pdnsutil deactivate-zone-key example.com old-key-id. You can get the
new-key-id and old-key-id by listing them through
pdnsutil show-zone example.com.
After the rollover, wait at least until the TTL on the DNSKEY records
have expired so validating resolvers won’t mark the zone as BOGUS. When
the wait is over, delete the old key from the zone:
pdnsutil remove-zone-key example.com old-key-id. This updates the
CDS records to reflect only the new key.
Wait for the parent to pick up on the CDS change. Once the upstream DS
records show only the DS records for the new KSK, you may disable
sending out the CDS responses:
pdnsutil unset-publish-cds example.com.
Done!