diff --git a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin
index 43311beef..88ea585a2 100644
Binary files a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin and b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.bin differ
diff --git a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json
index 3ac195f93..6115e9544 100644
--- a/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json
+++ b/zerotier-network-hypervisor/default-rootset/root.zerotier.com.json
@@ -1,25 +1,26 @@
 {
   "name": "root.zerotier.com",
+  "url": "http://root.zerotier.com/root.zerotier.com.json",
   "revision": 1,
   "members": [ {
       "identity": "62f865ae71:0:e2076c57de870e6288d7d5e7404408b1545efca37d67f77b87e9e54168c25d3ef1a9abf2905ea5e785c01dff23887ad4232d95c7a8fd2c27111a72bd159322dc",
       "endpoints": [ "udp:50.7.252.138/9993", "udp:2001:49f0:d0db:2::2/9993" ],
-      "signature": [ 1, 250, 55, 178, 250, 221, 13, 136, 125, 246, 209, 222, 43, 154, 3, 87, 224, 202, 86, 154, 217, 132, 141, 77, 246, 233, 118, 35, 112, 37, 58, 226, 104, 232, 33, 180, 29, 159, 20, 100, 217, 129, 242, 16, 247, 253, 70, 245, 59, 22, 126, 148, 52, 7, 231, 5, 230, 252, 35, 204, 22, 12, 85, 122, 10 ],
+      "signature": [ 1, 11, 19, 254, 152, 128, 229, 120, 238, 27, 162, 32, 34, 243, 199, 109, 197, 193, 7, 90, 237, 8, 207, 123, 2, 226, 71, 228, 53, 75, 127, 197, 205, 1, 220, 225, 165, 236, 110, 129, 73, 135, 74, 198, 58, 215, 180, 78, 17, 238, 159, 82, 30, 148, 159, 114, 248, 34, 19, 237, 247, 188, 185, 6, 5 ],
       "priority": 0
     }, {
       "identity": "778cde7190:0:3f6681a99e5ad1895e9fba33e6212d4454e168bcec7112101bf000956ed8e92e42892cb6f2ec410881a84ab19da50e1287ba3d926c3a1f755cccf299a1207055",
       "endpoints": [ "udp:103.195.103.66/9993", "udp:2605:9880:400:c3:254:f2bc:a1f7:19/9993" ],
-      "signature": [ 1, 115, 251, 30, 185, 137, 187, 219, 80, 35, 19, 117, 38, 241, 200, 137, 205, 208, 73, 54, 30, 158, 150, 64, 232, 214, 248, 54, 26, 180, 29, 68, 87, 34, 102, 251, 199, 158, 215, 199, 77, 8, 128, 93, 166, 199, 39, 139, 143, 20, 180, 29, 145, 232, 90, 181, 75, 237, 175, 238, 2, 124, 18, 124, 4 ],
+      "signature": [ 1, 176, 201, 27, 124, 69, 177, 126, 248, 34, 141, 118, 151, 20, 54, 21, 172, 207, 65, 81, 56, 38, 103, 54, 233, 21, 135, 0, 198, 3, 181, 69, 14, 252, 141, 85, 144, 33, 2, 195, 2, 132, 156, 24, 120, 87, 7, 126, 55, 94, 82, 78, 195, 58, 232, 153, 76, 181, 102, 5, 94, 219, 30, 201, 11 ],
       "priority": 0
     }, {
       "identity": "cafe04eba9:0:6c6a9d1dea55c1616bfe2a2b8f0ff9a8cacaf70374fb1f39e3bef81cbfebef17b7228268a0a2a29d3488c752565c6c965cbd6506ec24397cc8a5d9d15285a87f",
       "endpoints": [ "udp:84.17.53.155/9993", "udp:2a02:6ea0:d405::9993/9993" ],
-      "signature": [ 1, 51, 245, 92, 49, 30, 240, 161, 49, 14, 233, 231, 237, 169, 55, 1, 171, 91, 121, 3, 157, 139, 135, 177, 212, 199, 26, 188, 98, 130, 138, 39, 193, 45, 190, 243, 146, 15, 234, 220, 203, 154, 39, 230, 88, 152, 164, 74, 44, 136, 125, 207, 23, 31, 112, 52, 16, 116, 179, 99, 93, 133, 133, 189, 6 ],
+      "signature": [ 1, 95, 173, 172, 103, 89, 255, 220, 100, 218, 112, 19, 153, 47, 197, 108, 17, 224, 59, 225, 35, 171, 255, 131, 143, 165, 0, 159, 91, 244, 11, 52, 144, 103, 105, 126, 245, 114, 60, 71, 92, 85, 78, 105, 20, 41, 47, 138, 243, 37, 69, 232, 33, 206, 185, 166, 243, 3, 99, 92, 21, 114, 154, 166, 15 ],
       "priority": 0
     }, {
       "identity": "cafe9efeb9:0:ccdef76bc7b97ded904eabc5df09886d9c1514a610036cb9139cc214001a2958978efcec15712dd3948c6e6b3a8e893df01ff493d1f8d9806a860c5420571bf0",
       "endpoints": [ "udp:104.194.8.134/9993", "udp:2605:9880:200:1200:30:571:e34:51/9993" ],
-      "signature": [ 1, 237, 145, 250, 221, 80, 44, 48, 158, 74, 198, 149, 192, 96, 220, 223, 232, 141, 163, 254, 173, 190, 7, 16, 67, 234, 182, 183, 16, 36, 154, 40, 141, 98, 18, 253, 57, 186, 222, 71, 223, 247, 43, 131, 203, 38, 79, 36, 43, 52, 130, 80, 218, 188, 3, 175, 221, 108, 218, 139, 248, 37, 228, 112, 5 ],
+      "signature": [ 1, 117, 175, 12, 134, 119, 149, 178, 74, 56, 60, 139, 20, 25, 140, 172, 233, 127, 198, 175, 211, 175, 89, 67, 177, 71, 129, 154, 33, 217, 14, 152, 150, 57, 103, 123, 193, 170, 19, 203, 44, 205, 251, 38, 91, 4, 83, 224, 123, 69, 174, 61, 73, 239, 192, 8, 84, 193, 155, 36, 140, 41, 156, 59, 4 ],
       "priority": 0
     } ]
 }
diff --git a/zerotier-network-hypervisor/src/vl1/rootset.rs b/zerotier-network-hypervisor/src/vl1/rootset.rs
index 65fb28551..49b95b6ee 100644
--- a/zerotier-network-hypervisor/src/vl1/rootset.rs
+++ b/zerotier-network-hypervisor/src/vl1/rootset.rs
@@ -73,6 +73,9 @@ pub struct RootSet {
     /// An arbitrary name, which could be something like a domain.
     pub name: String,
 
+    /// Optional URL where root set can be fetched, can be used as a secondary update channel.
+    pub url: Option<String>,
+
     /// A monotonically increasing revision number (doesn't have to be sequential).
     pub revision: u64,
 
@@ -83,20 +86,29 @@ pub struct RootSet {
 }
 
 impl RootSet {
-    pub fn new(name: String, revision: u64) -> Self {
-        Self { name, revision, members: Vec::new() }
+    pub fn new(name: String, url: Option<String>, revision: u64) -> Self {
+        Self { name, url, revision, members: Vec::new() }
     }
 
     /// Get the ZeroTier default root set, which contains roots run by ZeroTier Inc.
     pub fn zerotier_default() -> Self {
         let mut cursor = 0;
-        Self::unmarshal(&Buffer::from(include_bytes!("../../default-rootset/root.zerotier.com.json")), &mut cursor).unwrap()
+        let rs = Self::unmarshal(&Buffer::from(include_bytes!("../../default-rootset/root.zerotier.com.json")), &mut cursor).unwrap();
+        assert!(rs.verify());
+        rs
     }
 
     fn marshal_internal<const BL: usize>(&self, buf: &mut Buffer<BL>, include_signatures: bool) -> std::io::Result<()> {
         buf.append_u8(0)?; // version byte for future use
         buf.append_varint(self.name.as_bytes().len() as u64)?;
         buf.append_bytes(self.name.as_bytes())?;
+        if self.url.is_some() {
+            let url = self.url.as_ref().unwrap().as_bytes();
+            buf.append_varint(url.len() as u64)?;
+            buf.append_bytes(url);
+        } else {
+            buf.append_varint(0)?;
+        }
         buf.append_varint(self.revision)?;
         buf.append_varint(self.members.len() as u64)?;
         for m in self.members.iter() {
@@ -239,7 +251,7 @@ impl Marshalable for RootSet {
     }
 
     fn unmarshal<const BL: usize>(buf: &Buffer<BL>, cursor: &mut usize) -> std::io::Result<Self> {
-        let mut rc = Self::new(String::new(), 0);
+        let mut rc = Self::new(String::new(), None, 0);
         if buf.read_u8(cursor)? != 0 {
             return std::io::Result::Err(std::io::Error::new(std::io::ErrorKind::InvalidData, "unsupported version"));
         }
@@ -247,6 +259,11 @@ impl Marshalable for RootSet {
         let name_len = buf.read_varint(cursor)?;
         rc.name = String::from_utf8(buf.read_bytes(name_len as usize, cursor)?.to_vec()).map_err(|_| std::io::Error::new(std::io::ErrorKind::InvalidData, "invalid UTF8"))?;
 
+        let url_len = buf.read_varint(cursor)?;
+        if url_len > 0 {
+            rc.url = Some(String::from_utf8(buf.read_bytes(url_len as usize, cursor)?.to_vec()).map_err(|_| std::io::Error::new(std::io::ErrorKind::InvalidData, "invalid UTF8"))?);
+        }
+
         rc.revision = buf.read_varint(cursor)?;
 
         let member_count = buf.read_varint(cursor)?;