diff --git a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin
index 88ea585a2..d167c3d50 100644
Binary files a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin and b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin differ
diff --git a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json
index 6115e9544..942e7ac5e 100644
--- a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json
+++ b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json
@@ -5,22 +5,22 @@
   "members": [ {
       "identity": "62f865ae71:0:e2076c57de870e6288d7d5e7404408b1545efca37d67f77b87e9e54168c25d3ef1a9abf2905ea5e785c01dff23887ad4232d95c7a8fd2c27111a72bd159322dc",
       "endpoints": [ "udp:50.7.252.138/9993", "udp:2001:49f0:d0db:2::2/9993" ],
-      "signature": [ 1, 11, 19, 254, 152, 128, 229, 120, 238, 27, 162, 32, 34, 243, 199, 109, 197, 193, 7, 90, 237, 8, 207, 123, 2, 226, 71, 228, 53, 75, 127, 197, 205, 1, 220, 225, 165, 236, 110, 129, 73, 135, 74, 198, 58, 215, 180, 78, 17, 238, 159, 82, 30, 148, 159, 114, 248, 34, 19, 237, 247, 188, 185, 6, 5 ],
+      "signature": [ 1, 251, 252, 226, 56, 91, 22, 138, 175, 73, 34, 92, 206, 150, 216, 249, 15, 238, 235, 103, 139, 84, 47, 155, 0, 117, 241, 230, 42, 12, 48, 124, 7, 137, 135, 143, 72, 252, 253, 67, 130, 68, 98, 214, 106, 171, 228, 205, 27, 68, 183, 40, 20, 24, 20, 188, 17, 175, 74, 112, 253, 20, 2, 125, 5 ],
       "priority": 0
     }, {
       "identity": "778cde7190:0:3f6681a99e5ad1895e9fba33e6212d4454e168bcec7112101bf000956ed8e92e42892cb6f2ec410881a84ab19da50e1287ba3d926c3a1f755cccf299a1207055",
       "endpoints": [ "udp:103.195.103.66/9993", "udp:2605:9880:400:c3:254:f2bc:a1f7:19/9993" ],
-      "signature": [ 1, 176, 201, 27, 124, 69, 177, 126, 248, 34, 141, 118, 151, 20, 54, 21, 172, 207, 65, 81, 56, 38, 103, 54, 233, 21, 135, 0, 198, 3, 181, 69, 14, 252, 141, 85, 144, 33, 2, 195, 2, 132, 156, 24, 120, 87, 7, 126, 55, 94, 82, 78, 195, 58, 232, 153, 76, 181, 102, 5, 94, 219, 30, 201, 11 ],
+      "signature": [ 1, 30, 210, 102, 33, 134, 186, 143, 248, 90, 201, 64, 19, 90, 187, 176, 193, 232, 178, 248, 10, 191, 160, 95, 111, 13, 182, 32, 140, 254, 133, 241, 221, 6, 28, 77, 142, 125, 197, 33, 132, 233, 37, 60, 158, 41, 20, 121, 4, 108, 6, 54, 207, 185, 130, 52, 118, 83, 253, 70, 166, 44, 142, 111, 1 ],
       "priority": 0
     }, {
       "identity": "cafe04eba9:0:6c6a9d1dea55c1616bfe2a2b8f0ff9a8cacaf70374fb1f39e3bef81cbfebef17b7228268a0a2a29d3488c752565c6c965cbd6506ec24397cc8a5d9d15285a87f",
       "endpoints": [ "udp:84.17.53.155/9993", "udp:2a02:6ea0:d405::9993/9993" ],
-      "signature": [ 1, 95, 173, 172, 103, 89, 255, 220, 100, 218, 112, 19, 153, 47, 197, 108, 17, 224, 59, 225, 35, 171, 255, 131, 143, 165, 0, 159, 91, 244, 11, 52, 144, 103, 105, 126, 245, 114, 60, 71, 92, 85, 78, 105, 20, 41, 47, 138, 243, 37, 69, 232, 33, 206, 185, 166, 243, 3, 99, 92, 21, 114, 154, 166, 15 ],
+      "signature": [ 1, 160, 218, 25, 6, 109, 106, 32, 77, 29, 1, 63, 71, 248, 37, 226, 213, 58, 71, 206, 191, 55, 118, 226, 117, 92, 112, 13, 57, 108, 186, 160, 197, 130, 13, 10, 180, 97, 221, 48, 113, 22, 74, 46, 164, 61, 217, 199, 12, 170, 95, 66, 76, 58, 55, 110, 175, 229, 0, 238, 244, 229, 230, 39, 10 ],
       "priority": 0
     }, {
       "identity": "cafe9efeb9:0:ccdef76bc7b97ded904eabc5df09886d9c1514a610036cb9139cc214001a2958978efcec15712dd3948c6e6b3a8e893df01ff493d1f8d9806a860c5420571bf0",
       "endpoints": [ "udp:104.194.8.134/9993", "udp:2605:9880:200:1200:30:571:e34:51/9993" ],
-      "signature": [ 1, 117, 175, 12, 134, 119, 149, 178, 74, 56, 60, 139, 20, 25, 140, 172, 233, 127, 198, 175, 211, 175, 89, 67, 177, 71, 129, 154, 33, 217, 14, 152, 150, 57, 103, 123, 193, 170, 19, 203, 44, 205, 251, 38, 91, 4, 83, 224, 123, 69, 174, 61, 73, 239, 192, 8, 84, 193, 155, 36, 140, 41, 156, 59, 4 ],
+      "signature": [ 1, 6, 67, 188, 196, 75, 197, 205, 200, 209, 22, 248, 128, 235, 176, 232, 119, 57, 70, 89, 157, 73, 94, 166, 108, 255, 105, 26, 105, 215, 9, 63, 174, 146, 229, 240, 206, 20, 93, 161, 77, 220, 166, 17, 74, 167, 162, 234, 150, 82, 164, 60, 108, 186, 195, 191, 41, 61, 25, 93, 137, 123, 23, 156, 9 ],
       "priority": 0
     } ]
 }
diff --git a/zerotier-network-hypervisor/src/util/buffer.rs b/zerotier-network-hypervisor/src/util/buffer.rs
index a19a84eea..30ba0ee83 100644
--- a/zerotier-network-hypervisor/src/util/buffer.rs
+++ b/zerotier-network-hypervisor/src/util/buffer.rs
@@ -394,7 +394,7 @@ impl<const L: usize> Buffer<L> {
             let mut a = &self.1[c..];
             crate::util::varint::read(&mut a).map(|r| {
                 *cursor = c + r.1;
-                debug_assert!(*cursor < self.0);
+                debug_assert!(*cursor <= self.0);
                 r.0
             })
         } else {
diff --git a/zerotier-network-hypervisor/src/vl1/identity.rs b/zerotier-network-hypervisor/src/vl1/identity.rs
index 53367a779..defc1a191 100644
--- a/zerotier-network-hypervisor/src/vl1/identity.rs
+++ b/zerotier-network-hypervisor/src/vl1/identity.rs
@@ -440,6 +440,10 @@ impl Identity {
             }
         }
 
+        // A size of zero tells unmarshal() to stop.
+        buf.append_u8(0x03)?;
+        buf.append_u16(0)?;
+
         Ok(())
     }
 
@@ -659,7 +663,8 @@ impl Marshalable for Identity {
             if algorithm.is_err() {
                 break;
             }
-            match algorithm.unwrap() {
+            let algorithm = algorithm.unwrap();
+            match algorithm {
                 0x00 | IDENTITY_ALGORITHM_X25519 => {
                     let a = buf.read_bytes_fixed::<C25519_PUBLIC_KEY_SIZE>(cursor)?;
                     let b = buf.read_bytes_fixed::<ED25519_PUBLIC_KEY_SIZE>(cursor)?;
@@ -677,7 +682,12 @@ impl Marshalable for Identity {
                     // This isn't an algorithm; each algorithm is identified by just one bit. This
                     // indicates the total size of the section after the x25519 keys for backward
                     // compatibility. See comments in marshal(). New versions can ignore this field.
-                    *cursor += 2;
+                    let size = buf.read_u16(cursor)?;
+                    if size == 0 {
+                        break;
+                    } else {
+                        *cursor += size as usize;
+                    }
                 }
                 IDENTITY_ALGORITHM_EC_NIST_P384 => {
                     let size = buf.read_u16(cursor)?;
diff --git a/zerotier-network-hypervisor/src/vl1/rootset.rs b/zerotier-network-hypervisor/src/vl1/rootset.rs
index 49b95b6ee..d35c4a59f 100644
--- a/zerotier-network-hypervisor/src/vl1/rootset.rs
+++ b/zerotier-network-hypervisor/src/vl1/rootset.rs
@@ -93,7 +93,7 @@ impl RootSet {
     /// Get the ZeroTier default root set, which contains roots run by ZeroTier Inc.
     pub fn zerotier_default() -> Self {
         let mut cursor = 0;
-        let rs = Self::unmarshal(&Buffer::from(include_bytes!("../../default-rootset/root.zerotier.com.json")), &mut cursor).unwrap();
+        let rs = Self::unmarshal(&Buffer::from(include_bytes!("../../default-rootset/root.zerotier.com.bin")), &mut cursor).unwrap();
         assert!(rs.verify());
         rs
     }
@@ -105,7 +105,7 @@ impl RootSet {
         if self.url.is_some() {
             let url = self.url.as_ref().unwrap().as_bytes();
             buf.append_varint(url.len() as u64)?;
-            buf.append_bytes(url);
+            buf.append_bytes(url)?;
         } else {
             buf.append_varint(0)?;
         }
diff --git a/zerotier-system-service/src/cli/rootset.rs b/zerotier-system-service/src/cli/rootset.rs
index 647d6865a..bc341424d 100644
--- a/zerotier-system-service/src/cli/rootset.rs
+++ b/zerotier-system-service/src/cli/rootset.rs
@@ -112,6 +112,10 @@ pub async fn cmd(flags: Flags, cmd_args: &ArgMatches) -> i32 {
             }
         }
 
+        Some(("default", _)) => {
+            let _ = std::io::stdout().write_all(crate::utils::to_json_pretty(&RootSet::zerotier_default()).as_bytes());
+        }
+
         _ => panic!(),
     }
     return exitcode::OK;
diff --git a/zerotier-system-service/src/main.rs b/zerotier-system-service/src/main.rs
index 79e98eb04..c2cf2c45d 100644
--- a/zerotier-system-service/src/main.rs
+++ b/zerotier-system-service/src/main.rs
@@ -86,6 +86,8 @@ Advanced Operations:
 ·   list                                   List root sets in use
     sign <path> <?identity secret>         Sign a root set with an identity
     verify <path>                          Load and verify a root set
+    marshal <path>                         Dump root set as binary to stdout
+    default                                Dump the default root set as JSON
 
   service                                  Start local service
    (usually not invoked manually)
@@ -197,7 +199,8 @@ fn main() {
                     .subcommand(Command::new("list"))
                     .subcommand(Command::new("sign").arg(Arg::new("path").index(1).required(true)).arg(Arg::new("secret").index(2).required(true)))
                     .subcommand(Command::new("verify").arg(Arg::new("path").index(1).required(true)))
-                    .subcommand(Command::new("marshal").arg(Arg::new("path").index(1).required(true))),
+                    .subcommand(Command::new("marshal").arg(Arg::new("path").index(1).required(true)))
+                    .subcommand(Command::new("default")),
             )
             .override_help(help.as_str())
             .override_usage("")