You may want to
consider a setup where a dedicated signer is used. This would be a machine
that only accepts ssh connections and runs specific programs based on the ssh
key that connects to it.
One ssh key
starts a shell for key maintenance. Private keys can be constructed but not
looked at. Another (set of) ssh key(s) start a script that accepts a zone and
additional parameters and spits out a signed zone.
This machine
would protect access the private keys by the zone signers, not by the system
administrator of the box.
