diff --git a/doc/configuration/host_config.md b/doc/configuration/host_config.md
index c69e76c5df4..8d07a2755b0 100644
--- a/doc/configuration/host_config.md
+++ b/doc/configuration/host_config.md
@@ -193,13 +193,7 @@ The `register` rule is defined only for `domain2.com`.
 
 ### `host_config.s2s`
 
-The options defined here override the ones defined in the top-level [`s2s`](s2s.md) section.
-The following options are allowed:
-
-* [`default_policy`](s2s.md#s2sdefault_policy)
-* [`host_policy`](s2s.md#s2shost_policy)
-* [`shared`](s2s.md#s2sshared)
-* [`max_retry_delay`](s2s.md#s2smax_retry_delay)
+This section completely overrides the top-level [`s2s`](s2s.md) section, all options are allowed.
 
 #### Example
 
@@ -227,4 +221,4 @@ The `host_policy` option is changed for `domain2.com`:
     ]
 ```
 
-The `default_policy` is still `deny`.
+Note that `default_policy` for `domain2.com` has the default value `allow`, because `host_config.s2s` completely overrides the top-level `s2s` section, and all options are reset to the respective default values, unless they are explicitly changed.
diff --git a/doc/configuration/s2s.md b/doc/configuration/s2s.md
index 5fe5e624b66..02d587e0a90 100644
--- a/doc/configuration/s2s.md
+++ b/doc/configuration/s2s.md
@@ -21,7 +21,7 @@ Default policy for opening new S2S connections to/from remote servers.
 * **Syntax:** array of TOML tables with the following mandatory content:
     * `host` - string, host name
     * `policy` - string, `"allow"` or `"deny"`
-* **Default:** `"allow"`
+* **Default:** not set, `default_policy` is used
 * **Example:**
 
 ```toml
diff --git a/doc/migrations/5.0.0_5.1.0.md b/doc/migrations/5.0.0_5.1.0.md
index f6581f8a966..5f38062df37 100644
--- a/doc/migrations/5.0.0_5.1.0.md
+++ b/doc/migrations/5.0.0_5.1.0.md
@@ -16,7 +16,9 @@ See the [auth configuration](../configuration/auth.md) for details.
 
 ### Section `s2s`
 
-The `domain_certfile` option has been moved to the `general` section because it affects `c2s` connections as well.
+* All options can be set globally or inside `host_config`.
+* The `host_config.s2s` section overrides the whole global section now. Previously only the specified options were overridden.
+* The `domain_certfile` option has been moved to the `general` section because it affects `c2s` connections as well.
 
 ### Section `host_config`