PKI best practices are not stating that Root CAs must be offline. This design approach is influenced by the required assurance of the trust anchor.
Being deployed “offline” eliminates the possibility of all network-based and most physical attacks directly on the Root CA.
The chain of trust from a end-user certificate to a Root CA is unaffected whether a Root CA is implemented online or offline. The storage of Root CA keys in an appropriately rated (e.g., FIPS3 140-2 Level 3) HSM adds an additional level of physical protection to the Root CA.
While Root CAs are deployed offline, they must publish a CA certificate and Certificate Revocation List (CRL) regularly, which must be distributed to online repositories and retrievable by Relying Parties.