diff --git a/CHANGELOG b/CHANGELOG
index dd86f9e..5e8efa3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+2024-02-28
+    - 4.0.7
+    - Fix overly strict 0-RTT packet DCID validation.
+    - Update docker build.
+
 2024-02-23
     - 4.0.6
     - Fix ACK handling.
diff --git a/Dockerfile b/Dockerfile
index 6b015ec..917ff4a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:20.04 as build-lsquic
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -25,8 +25,15 @@ RUN git clone https://github.com/google/boringssl.git && \
     cmake . && \
     make
 
+ENV EXTRA_CFLAGS -DLSQUIC_QIR=1
 RUN cd /src/lsquic && \
     cmake -DBORINGSSL_DIR=/src/boringssl . && \
     make
 
-RUN cd lsquic && make test && cp bin/http_client /usr/bin/ && cp bin/http_server /usr/bin
+RUN cd lsquic && cp bin/http_client /usr/bin/ && cp bin/http_server /usr/bin
+
+FROM martenseemann/quic-network-simulator-endpoint:latest as lsquic-qir
+COPY --from=build-lsquic /usr/bin/http_client /usr/bin/http_server /usr/bin/
+COPY qir/run_endpoint.sh .
+RUN chmod +x run_endpoint.sh
+ENTRYPOINT [ "./run_endpoint.sh" ]
diff --git a/README.md b/README.md
index ad8e5ab..fd593d0 100644
--- a/README.md
+++ b/README.md
@@ -111,8 +111,7 @@ as follows:
 ```
 git clone https://github.com/litespeedtech/lsquic.git
 cd lsquic
-git submodule init
-git submodule update
+git submodule update --init
 ```
 
 2. Compile the library
@@ -147,8 +146,7 @@ The library and the example client and server can be built with Docker.
 Initialize Git submodules:
 ```
 cd lsquic
-git submodule init
-git submodule update
+git submodule update --init
 ```
 
 Build the Docker image:
diff --git a/docs/conf.py b/docs/conf.py
index 9037141..987ddc6 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -26,7 +26,7 @@ author = u'LiteSpeed Technologies'
 # The short X.Y version
 version = u'4.0'
 # The full version, including alpha/beta/rc tags
-release = u'4.0.6'
+release = u'4.0.7'
 
 
 # -- General configuration ---------------------------------------------------
diff --git a/include/lsquic.h b/include/lsquic.h
index b298966..1b8e752 100644
--- a/include/lsquic.h
+++ b/include/lsquic.h
@@ -27,7 +27,7 @@ extern "C" {
 
 #define LSQUIC_MAJOR_VERSION 4
 #define LSQUIC_MINOR_VERSION 0
-#define LSQUIC_PATCH_VERSION 6
+#define LSQUIC_PATCH_VERSION 7
 
 /**
  * Engine flags:
diff --git a/qir/run_endpoint.sh b/qir/run_endpoint.sh
new file mode 100644
index 0000000..bc07c09
--- /dev/null
+++ b/qir/run_endpoint.sh
@@ -0,0 +1,139 @@
+#!/bin/bash
+#
+# run_endpoint.sh -- QUIC Interop Runner script for lsquic
+#
+
+/setup.sh
+
+if [ "$ROLE" == "client" ]; then
+    # Wait for the simulator to start up.
+    /wait-for-it.sh sim:57832 -s -t 30
+fi
+
+echo TEST_PARAMS: $TEST_PARAMS
+echo REQUESTS: "'$REQUESTS'"
+eval $(perl <<'PERL'
+    @paths = split /\s+/, $ENV{REQUESTS};
+    s~^https?://[^/]+~-p ~ for @paths;
+    print "PATHS='@paths'\n";
+    $server = $ENV{REQUESTS};
+    $server =~ s~^https?://~~;
+    $server =~ s~/.*~~;
+    ($server, $port) = split /:/, $server;
+    print "SERVER=$server\n";
+    print "PORT=$port\n";
+    print "N_REQS=", scalar(@paths), "\n";
+    print "N_reqs=", scalar(@paths), "\n";
+    if (@paths > 100) {
+        print "W=100\n";
+    } else {
+        print "W=1\n";
+    }
+PERL
+)
+echo paths: $PATHS
+echo server: $SERVER
+echo port: $PORT
+
+# lsquic command-line tools create one file per connection when -G option
+# is used.  Here we make a copy and give it required name.
+#
+function maybe_create_keylog() {
+    local NAME=/logs/keys.log
+    if ls /logs/*.keys; then
+        # There may be more than one of these, as one file is created per
+        # connection.
+        cat /logs/*.keys > $NAME
+    fi
+    if [ -f $NAME ]; then
+        echo $NAME exists
+    else
+        echo $NAME does not exit
+    fi
+}
+
+if [ "$ROLE" = server ]; then
+    if [ ! -z "$TESTCASE" ]; then
+        case "$TESTCASE" in
+            http3)
+                VERSIONS='-o version=h3-29 -o version=h3'
+                ;;
+            v2)
+                VERSIONS='-o version=h3-v2 -o version=h3 -Q hq-interop'
+                ;;
+            handshake|transfer|longrtt|resumption|blackhole|multiconnect|chacha20|zerortt)
+                VERSIONS='-o version=h3-29 -o version=h3 -o scid_iss_rate=0 -Q hq-interop'
+                ;;
+            retry)
+                VERSIONS='-o version=h3-29 -o version=h3 -o srej=1 -Q hq-interop'
+                FORCE_RETRY=1
+                ;;
+            ecn)
+                VERSIONS='-o version=h3-29 -o version=h3 -Q hq-interop'
+                ECN='-o ecn=1'
+                ;;
+            *) exit 127 ;;
+        esac
+    fi
+    echo SERVER_PARAMS: $SERVER_PARAMS
+    exec env LSQUIC_FORCE_RETRY=$FORCE_RETRY /usr/bin/http_server $VERSIONS $ECN \
+        -c server,/certs/cert.pem,/certs/priv.key \
+        -c server4,/certs/cert.pem,/certs/priv.key \
+        -c server6,/certs/cert.pem,/certs/priv.key \
+        -c server46,/certs/cert.pem,/certs/priv.key \
+        -s ::0:443 -s 0.0.0.0:443 -s 193.167.100.100:12345 \
+        -r /www -L debug 2>/logs/$TESTCASE.out
+elif [ "$ROLE" = debug-server ]; then
+    exec /usr/bin/http_server $SERVER_PARAMS
+elif [ "$ROLE" = client ]; then
+    if [ ! -z "$TESTCASE" ]; then
+        case "$TESTCASE" in
+            http3)
+                VERSIONS='-o version=h3'
+                ;;
+            v2)
+                VERSIONS='-o version=h3-v2 -o version=h3 -Q hq-interop'
+                ;;
+            handshake|transfer|longrtt|retry|multiplexing|blackhole)
+                VERSIONS='-o version=h3 -Q hq-interop'
+                ;;
+            multiconnect)
+                VERSIONS='-o version=h3 -Q hq-interop'
+                N_REQS=1
+                ;;
+            ecn)
+                VERSIONS='-o version=h3 -Q hq-interop'
+                ECN='-o ecn=1'
+                ;;
+            resumption)
+                VERSIONS='-o version=h3 -Q hq-interop'
+                RESUME='-0 /logs/resume.file'
+                ;;
+            *) exit 127 ;;
+        esac
+    fi
+    echo CLIENT_PARAMS: $CLIENT_PARAMS
+    if [ "$TESTCASE" = resumption ]; then
+        # Fetch first file:
+        /usr/bin/http_client $VERSIONS -s $SERVER:$PORT $PATHS \
+            -r 1 -R 1 $RESUME \
+            -B -7 /downloads -G /logs \
+            -L debug 2>/logs/$TESTCASE-req1.out || exit $?
+        PATHS=`echo "$PATHS" | sed 's~-p /[^ ]* ~~'`
+        N_REQS=1
+        N_reqs=1
+        W=1
+        echo "first request successful, new args: $N_REQS; $N_reqs; $PATHS"
+    fi
+    /usr/bin/http_client $VERSIONS -s $SERVER:$PORT $PATHS \
+        -r $N_reqs -R $N_REQS -w $W $ECN $RESUME \
+        -B -7 /downloads -G /logs \
+        -L debug 2>/logs/$TESTCASE.out
+    EXIT_CODE=$?
+    maybe_create_keylog
+    sync
+    exit $EXIT_CODE
+else
+    echo hi
+    exit 127
+fi
diff --git a/src/liblsquic/lsquic_full_conn_ietf.c b/src/liblsquic/lsquic_full_conn_ietf.c
index 2260ba9..856b481 100644
--- a/src/liblsquic/lsquic_full_conn_ietf.c
+++ b/src/liblsquic/lsquic_full_conn_ietf.c
@@ -7524,7 +7524,7 @@ process_regular_packet (struct ietf_full_conn *conn,
                                                                     packet_in);
     else
     {
-        if (is_dcid_changed)
+        if (is_dcid_changed && HETY_0RTT != packet_in->pi_header_type)
         {
             if (LSQUIC_CIDS_EQ(&conn->ifc_conn.cn_cces[0].cce_cid,
                             &packet_in->pi_dcid)