(out of scope for your question, but anyway)

Why not store both KSK and ZSK in the HSM? They are of almost equal
value and a compromised ZSK can be used to sign anything, including
other ZSKs.

jakob

Perhaps people with far more operational experience can join in, as
experience may vary here. But my general observations are that
SQLite3 is faster than MySQL if using a default installation.

This is not because SQLite is better than MySQL. In fact I think that
MySQL should be able to scale better and have a more stable performance
in the end. For large installations (10000s of domains rather than less
than 100) and with some planned improvements, MySQL should perform
better than SQLite3 in the long run.

But this will be marginal for the enforcer database and in general
SQLite will outperform a real database. Not because it is better, but
because SQLite in an embedded database. Without embedding a database
you will always get overhead.

But this overhead of an external database also gets you the goodies
that you might want in a production environment. The additional
cost in overhead isn't too bad.
As with MySQL you get easy and trusted backup procedures (without
having to take the enforcer off-line), replication/high availability.
Permissions, authorization, remote access.
Normally the choice for an external database is required because of
the need to embed the operation into an existing infrastructure,
rather than for the true need of the application in your current
set up.

Personally, but this isn't my or my groups advice, I would use
SQLite3 for now and migrate to MySQL when version 2.3 (no mistype)
later this year and I think at that time there will be
performance benefits to be obtained for >10000s of domains.
No experience here.

\Berry