Zone entanglement

Well, I need a load more information to give you a specific solution. Particularly I need to know the why's you put the what's in place.

However, perhaps I can give you a general strategy. If this strategy won't work for you, then I want to know why.

We're going to assume that there's 2 locations, and the machines at one location can't communicate with the machines at the other location except via the gateway.

So let's define the dns servers on this WAN. These are just the types of dns servers and their roles, you may have redundancy for each type.

location1: gateway dns server (G1), internal dns server (P1)
location2: gateway dns server (G2), internal dns server (P2)

G1 DNS Server role: master server

host company-wide public domains in the public name space
host company-wide private domains in the private name space
host location-specific private domains in the private name space

-- redundant servers are slaves to G1

G2 DNS server role: slave server

host company-wide public domains in the public name space
host company-wide private domains in the private name space
host location-specific private domains in the private name space

-- G2 downloads all company-wide domain info from G1. This is easy for the public name space, but it could be tricky getting access to the private name space. G2 may have to be a second master for company-wide private domains.

-- redundant servers are slaves to G1

P1 and P2 server role: local resolver

resolves domains for the respective location's clients.
forwards resolution for company-wide and location-specific private domains to the G1 and G2 servers respectively.

-- redundant servers has an identical configuration.

the clients

All client machines at location 1 are configured with the IP address(es) for the P1 server and all redundancies.
All client machines at location 2 are configured with the IP address(es) for the P2 server and all redundancies.

Additional Note

There may be cases where you have more than 2 locations. The same strategy can apply. However, in the event that a location can't reach L1 it MAY be a slave to another slave G server. Any updates made at the G1 server can ripple down to L2 and from L2 it updates unreachable L3.

Summary

This strategy is extremely flexible. The principle is that a resolver should never host domains. It should forward resolution to the host server. Also, it reminds you that you can host public zones with public IP info and private zones with private IP info by the same name on the same gateway server. You just got to separate the name spaces. In other words, return info for the public or private name space based on the request's source and/or destination address.