Code review comment for lp:~ahasenack/charms/precise/postgresql/nicer-fix-to-avoid-cnames-in-pg_hba

This is going to be a permanent fix as I understanding, as charms supoprting MaaS that need this sort of IP filtering (Most services? Few services?) will be required to do the CNAME dereferencing themselves. This will mean MaaS needs to guarantee that the CNAME will never be changed, and always point to the same A record. This still allows MaaS to change the IP addresses of machines, as the CNAME points to an A record and the IP address associated with that A record may be changed.

For a permanent fix, I don't think we should have the bare except in here. I think that if the DNS lookups fail, it is a good reason to have the hook fail.

This code isn't quite doing the same thing as the dig lookup. The dig lookup is only dereferencing CNAMES to an A record. The address this A record points to can change, and everything will still be happy. The new lookup deferences both CNAMES and A records to IP addresses. If a juju provider supports changing the IP address of a machine it could do so by giving a DNS name rather than an IP address as the private-address. It can then change where that name points to without needing to kick off all the -changed hooks, as the standard DNS TTL mechanism will sort things out. If a juju provider did this, it would break the proposed use of socket.gethostbyname to replace dig.

I'd vote to leave it like it is, and just remove the exception handler since the dig lookup seems stable. This is not performance critical.