Hi again,
Indeed. Assuming WMDE isn't planning on not having any web servers, their existing web server for wikimedia.de can keep redirecting tools.wikimedia.de to toolserver.org. No changes necessary.
So okay, not making any change to the DNS entry is completely okay for me. WMF ops then have to decide about the SSL certificate question.
If WMDE really wants to remove them, they could point that subdomain to WMF servers and have WMF do the redirect and simply don't provide an SSL certificate. E.g. WMF would use a self-signed certificate or an invalid one like the one for wikipedia.org, WMF does this all the time for old or unused domains:
wikipedia.com
wikimediacommons.org
And if we really really want, one could purchase a separate certificate for just tools.wikimedia.org (so that the wildcard one isn't needed) and transfer only that to WMF.
For me, it is important that I don't have to deal with that domain any longer. Simply keeping the CNAME causes on work at all. If you at WMF want to handle the certificate question in the future, you can go ahead. At the Hackathon, I understood that Coren is no fan of such a solution though.
Best, Silke