An example configuration file for Knot that runs DNS-over-TLS on port 853 is below.
If you are using systemd with socket-based activation you need to remove the net.listen lines above and instead run
systemctl edit kresd-tls.socket
in the override file.
If you are using the packages from home:CZ-NIC:knot-resolver-latest you need to enable the service using
systemctl enable --now firstname.lastname@example.org
See man kresd.systemd for more info.
Depending on how your certificate is issued you may to add the intermediate certificate to your certificate file for clients to be able to validate. For example, if you use Let's encrypt to create your certificate you will need to add the intermediate certificate (found in the
<N>_chain.pem file) to the cert file.