[_n_b_]

> how you protect the signing certificates

You get an HSM like this: https://www.veritech.net/product-detail/keyper-hsm/ that stays air-gapped.

Then you build procedures around it, like https://www.iana.org/dnssec

Not cheap or easy.

[foolmeonce]

If you have no compliance requirements, you can also just use any pkcs#11 token (with support for non-extractable keys) to secure the key, and setup an air-gapped process on a laptop with a bootcd, etc, to minimize the risk of compromising your process.