TL;DR DNS converts domain names into IP addresses.
Let's say the Internet is out there. There are websites of different kinds waiting for you to visit. And there are so many of them. Theoretically, each website can just be identified by an IP address, a 32-bit number. But human minds are not so good at remembering such numbers. You don't remember all the phone numbers of your friends. Your phone maintains a phonebook (a contact list) so you can just look up the phone number by a certain person's name.
DNS (Domain Name System) serves as your phonebook for the Internet. It converts the names of the website (domain names) into IP addresses. One caveat with the phone book metaphor is that in reality, IP addresses of websites are much more dynamic; they can change frequently.
So you have a domain name you want to resolve.
Although you don't need to remember every IP address for every website, there's one IP address you or your computer needs to remember—the DNS server/resolver address. The IP address of a DNS server is usually well-known, e.g. 8.8.8.8 (Google Public DNS server), 75.75.75.75 (Comcast).
Root servers:
TLD server (.com, .net, …)
(Intermediate?) Nameserver (facebook.com, google.com)
Authoritative nameserver (www.facebook.com, mail.google.com)
Note: DNS servers are reached by IP addresses. They also need to broadcast their IP addresses through BGP to allow for routing.
If you have control over your authoritative nameserver, changing the IP address of a domain name should be pretty quick. Usually, the record cached at the resolver has a short TTL (a few minutes). Once the record expires, the resolver will resolve the domain again recursively and finally reach the authoritative nameserver to get the latest record.
It will take longer to change the address of a TLD server, which usually has a longer TTL. It can be slow to get changes propagated because we're waiting for old records to expire.
Some ISPs configure their DNS servers to ignore the TTL value. You can't do anything about that.
For a popular domain, DNS can resolve to different IP addresses depending on the location and achieve geo-based load balancing.
Another way to do load balancing is with anycast: even with the same IP, there could be multiple servers announcing that same IP and each server is equivalent in serving requests. DNS is not so relevant though.
Zone signing keys are used to sign groups of DNS records.
Root Key Signing Key (KSK) is used to sign the zone signing keys.
Root Key Signing Key is taken offline and guarded securely in two locations: El Segundo, CA and Culpeper, VA.
Reference:
DNS uses UDP. Compared with TCP, UDP is connectionless, lower latency, less reliable.