GTM Deploy outside of firewall, DNSSEC concern

I'm not too familiar with GTM so forgive me for speaking with no authority, however, you'd have the same issue with LTM and SSL certificates, whether it's outside the firewall or inside. Obviously, most people would prefer inside to outside from a design and security standpoint. Secure Vault would protect keys if the hard drives were removed from the system, not while they are in it. Of course, TMOS is pretty secure in general where ICMP, DDoS mitigation, ARP protection etc. are concerned and you've got packet filters, VLAN source checking, SSL and GUI IP restrictions, an out of band management interface, port lockdown and more on your side. You could also consider appliance mode. Regardless, I wouldn't do it unless I had to and only then if the whole company signed a disclaimer.