Domain signing is done by placing OpenDNSSEC between the place where the zone files are edited and where they are published. The current version of OpenDNSSEC supports files and AXFR to communicate the zone data; effectively, OpenDNSSEC acts as a "bump in the wire" between editing and publishing a zone.
OpenDNSSEC has two daemons, which are unitedly started and stopped through the ods-control(8) command. The two daemons in turn invoke other programs to get their work done.
One of the daemons is the KASP Enforcer, which enforces policies that define security and timing requirements for each individual zone. Operators tend to interact with the KASP Enforcer a lot, through the ods-enforcer(8) command.
The other daemon is the Signer Engine, which in turn signs the zone content. It retrieves that content from a file or through AXFR, and publishes a signed version of the zone into a file or through AXFR. Direct interaction with the Signer Engine, although not normally necessary, is possible through the ods-signer(8) command.
The keys that sign the zones are managed by an independent repository, which is accessed over a PKCS #11 interface. The principle idea of this interface being to unleash access to cryptographic hardware, there are implementations in software. Also, implementations range from open to commercial, and from very simple to highly secure. By default, OpenDNSSEC is configured to run on top of a SoftHSM, but a few other commands exist to test any Hardware Security Module that may sit under the PKCS #11 API.
OpenDNSSEC is mindful about the period of validity of each key, and will rollover in time to keep the domain signed, with new keys, without any downtime for the secure domain. The only thing that is not standardised, and thus cannot be automated at the moment is the interface between a zone and its parent, so this has to be done manually, or scripted around OpenDNSSEC.