I am running my DNS server on 3 external VPS servers. One of them was set up to be the primary DNS server and would in addition to the zone files contain the DNSSEC private keys.
This is not optimal. Having your DNSSEC keys on a server external to your location means that they can be copied by the VPS provider or anyone they give access to your VPS servers. If this happens these keys can be used to fake DNS data in your domain(s).
To solve this I set up docker on my home Synology server (any machine that is on all the time that can run docker will do) then I loaded the bind9 container and set it up as a shadow primary nameserver. This way all the DNSSEC keys stay at my premises and only I have access to them. The 3 external DNS server have been set up as secondaries and when I change the zone file in my docker container it notifies the secondaries so they can download the signed zone files.
Can you describe this more in detail?