doc/user/config-network-server-tls.rst: nits

- move an example config closer to the beginning of its section
- less mention of doh-legacy

diff --git a/doc/user/config-network-server-tls.rst b/doc/user/config-network-server-tls.rst
index abc4429afc8fc846a0d46e9a28c6818dc5b14903..1436b6e2ddcd19b5a0356afb5fd2dd06d65d8748 100644 (file)
--- a/doc/user/config-network-server-tls.rst
+++ b/doc/user/config-network-server-tls.rst
@@ -35,12 +35,6 @@ For certificate configuration, refer to :ref:`dot-doh-config-options`.
 DNS-over-HTTPS (DoH)
 ^^^^^^^^^^^^^^^^^^^^
 
-.. note::
-
-   Knot Resolver currently offers two DoH implementations.
-   It is recommended to use this new implementation, which is more reliable, scalable and has fewer dependencies.
-   Make sure to use ``doh2`` kind in :option:`network/listen <network/listen: <list>>` to select this implementation.
-
 .. tip::
 
    Independent information about political controversies around the
@@ -105,6 +99,14 @@ Configuration options for DoT and DoH
 A self-signed certificate is generated by default.
 For serious deployments it is strongly recommended to configure your own TLS certificates signed by a trusted CA.
 
+.. code-block:: yaml
+
+   network:
+     tls:
+       cert-file: /etc/knot-resolver/server-cert.pem
+       key-file: /etc/knot-resolver/server-key.pem
+
+
 Knot Resolver respects system-wide cryptographic policies. If you are using a
 distro that ships such a package, you may use `crypto-policies
 <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening>`_
@@ -121,13 +123,6 @@ policies.
 
    .. option:: key-file: <path>
 
-   .. code-block:: yaml
-
-      network:
-        tls:
-          cert-file: /etc/knot-resolver/server-cert.pem
-          key-file: /etc/knot-resolver/server-key.pem
-
    .. option:: files-watchdog: auto|true|false
 
       :default: auto