Just an update about this problem.
The problem I was trying to address was doing dns zone transfers from an active directory DNS server at the head office across a ipsec tunnel to a branch office.
The DNS for the branch office is provided by the fortigate that is also the vpn tunnel.
Even though I configure the zone slave on the fortigate using the method in this KBhttps://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server
the zone transfer fails.
Note that the KB doesn't mention that you have to set your windows dns server to allow the zone transfer to take place. By default windows AD DNS is set to not allow zone transfers. It also doesn't hurt to set your windows dns server to use bind secondaries.
The reason the zone transfer fails is because the fortigate doesn't know what IP to use when sending the zone transfer so defaults to using the interface with the lowest index value (usually the first interface created on the device, wan1).
The resolution is to set the source IP on the dns database using the CLI.
The commands to do this are
#configure sys dns-database
#edit MyFunkyDomain <---- or whatever the name of the database you created is
#set source-ip x.x.x.x <--- IP that it should use as the source for the traffic
Once that is done, the zone transfer succeeds.
Thanks everyone for your input. Thanks to Fortinet telephone support, they resolved the issue quickly.
Hopefully this information will help anyone with a similar issue in the future.