From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Thu, 6 Nov 2025 17:02:57 +0000 (+0100)
Subject: doc/user/config-network-server-tls.rst: nits
X-Git-Tag: v6.0.17~5^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2d3c68274c71229b069945ede7d5f40fd4de3c6;p=thirdparty%2Fknot-resolver.git

doc/user/config-network-server-tls.rst: nits

- move an example config closer to the beginning of its section
- less mention of doh-legacy
---

diff --git a/doc/user/config-network-server-tls.rst b/doc/user/config-network-server-tls.rst
index abc4429af..1436b6e2d 100644
--- a/doc/user/config-network-server-tls.rst
+++ b/doc/user/config-network-server-tls.rst
@@ -35,12 +35,6 @@ For certificate configuration, refer to :ref:`dot-doh-config-options`.
 DNS-over-HTTPS (DoH)
 ^^^^^^^^^^^^^^^^^^^^
 
-.. note::
-
-   Knot Resolver currently offers two DoH implementations.
-   It is recommended to use this new implementation, which is more reliable, scalable and has fewer dependencies.
-   Make sure to use ``doh2`` kind in :option:`network/listen <network/listen: <list>>` to select this implementation.
-
 .. tip::
 
    Independent information about political controversies around the
@@ -105,6 +99,14 @@ Configuration options for DoT and DoH
 A self-signed certificate is generated by default.
 For serious deployments it is strongly recommended to configure your own TLS certificates signed by a trusted CA.
 
+.. code-block:: yaml
+
+   network:
+     tls:
+       cert-file: /etc/knot-resolver/server-cert.pem
+       key-file: /etc/knot-resolver/server-key.pem
+
+
 Knot Resolver respects system-wide cryptographic policies. If you are using a
 distro that ships such a package, you may use `crypto-policies
 <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening>`_
@@ -121,13 +123,6 @@ policies.
 
    .. option:: key-file: <path>
 
-   .. code-block:: yaml
-
-      network:
-        tls:
-          cert-file: /etc/knot-resolver/server-cert.pem
-          key-file: /etc/knot-resolver/server-key.pem
-
    .. option:: files-watchdog: auto|true|false
 
       :default: auto