In this design:

• The 'OPNsense BIND server' is the authoritative master for 'corp.local' and FortiGate is configured as a secondary (slave).
• The FortiGate is the authoritative master for 'branch.local' and OPNsense is configured as a secondary (slave).
• The two sites are interconnected via VXLAN-over-IPsec, providing resilient transport for zone transfers (AXFR/IXFR).

This setup ensures both sites have authoritative DNS information for both zones.

Topology:

Site A (OPNsense) Site B (FortiGate)
┌────────────────────────┐ ┌────────────────────────┐
│ OPNsense + BIND │ │ FortiGate 60F │
│ 10.10.12.100 │ │ 192.168.2.1 │
│ │ │ │
│ Master: corp.local │◄─────────AXFR──────│ Secondary: corp.local│
│ Slave : branch.local │───────AXFR────────►│ Master: branch.local │
└────────────────────────┘ VXLAN/IPsec └────────────────────────┘

• Site B to Site A arrow: 'corp.local' replicated from OPNsense → FortiGate.
• Site A to Site B arrow: 'branch.local' replicated from FortiGate → OPNsense.

FortiGate: corp.local Secondary, branch.local Primary.
Configure FortiGate as a slave for 'corp.local' and as a master for 'branch.local':

config system dns-database
    edit "branch.local"
        set status enable
        set domain "branch.local"
        set type primary
        set view public
        set ttl 86400
        set authoritative enable
        unset forwarder
        set forwarder6 ::
        set source-ip 0.0.0.0
        set source-ip6 ::
        unset allow-transfer
        set primary-name "dns"
        set contact "host"
    next

    edit "corp.local"
        set status enable
        set domain "corp.local"
        set type secondary
        set view public
        set authoritative enable
        unset forwarder
        set forwarder6 ::
        set source-ip 192.168.2.1
        set source-ip6 ::
        set rr-max 16384
        set ip-primary 10.10.12.100
    next
end

config system dns-server
    edit "internal1"
        set mode non-recursive
    next
    edit "to OPNsense"
       set mode non-recursive
    next
end

VXLAN over IPsec Transport:

• VXLAN tunnel ('vxlan-over-ipsec') established between OPNsense (10.10.12.100) and FortiGate (192.168.2.1).
  
• Ensure UDP/4789 is allowed inside the IPsec selector.
  
• Allow TCP/53 and UDP/53 over the VXLAN/IPsec path for zone transfers and DNS queries.
  

Verification.

On FortiGate:

After a zone update:

confirm FortiGate corp.local secondary serial increased matching OPNsense:

diagnose debug reset
diagnose debug application dnsproxy -1
diagnose debug enable

Further zone update originated from Master (Opnsense).

Debug output:

Test from client behind FortiGate firewall:

dig +norecurse @192.168.2.1 corp.local SOA
dig @192.168.2.1 ns1.corp.local A

Benefits:

• Layer 2 reachability over any IP network using VXLAN.
• DNS zone transfers happen as if both servers were on the same LAN segment.
• Secure separation from other traffic with dedicated VNI and firewall rules.
• Flexibility to run other Layer 2 dependent services across sites.