yes, dhcpd makes the entry.

Its not intentional security thing just 9load being minimal.  However,
over the years, 9load has become so friggin big that I might as well
put ARP into it too, it'ld hardly be noticable.

Dhcpd loading the arp cache is just there because it has to be.
Otherwise the responses might not work.  That's because if the
broadcast flag isn't set in the client requests, replies are
unicast.  If the reply is unicast, the server has to ARP to get
the clients ether address.  Since the client hasn't gotten its
address yet, it can't answer the ARP...

Of course, once 9load gets an address, it should be ready to
answer ARPs.  That way we could separate the dhcp server and
tftp server.  On my infinite list.