If we need to revoke or change a key for an encrypted zone (i.e. key rolling) do we need to copy all the data (distcp) into a new location, create a new key, and then copy it back?
AFAIK, the approach you had mentioned is the only way its possible to change keys for an encryption zone with the present implementation of TDE in Hadoop.
You do not need to copy all of the data. You can roll over the keys via the Ranger UI if you are using the Ranger KMS. Take a look at this. Specifically the section for "Rolling Over an Existing Key".