There is a difference, of course, between "not supported" and "actively blocked."
If WordPress does not support off-site DNS but does not actively block traffic coming through CloudFlare, the problem is with CloudFlare and we assume all risk for traffic routing because we choose to host our DNS entries in a non-recommended manner.
Even today, if we set our DNS entries on CloudFlare but do not enable any CloudFlare services, traffic flows to the WordPress.com blogs perfectly. This is true whether we use multiple A records or simply set a CNAME pointing customdomain.com to lb.wordpress.com.
When CloudFlare services are activated, all traffic to our blogs goes first through the CloudFlare servers for caching, additional statistics, etc., which means that it would appear to WordPress.com as though it were originating from the CloudFlare servers.
Or, depending on the type of malevolent traffic detection being used, it may appear to WordPress.com that the request is being spoofed.
What we're trying to identify, since this problem is so new (remember that it has worked flawlessly for months for all of us), is whether WordPress.com servers are seeing the traffic from CloudFlare as potentially malevolent (or in violation of some terms of service) and actively blocking it. If so, we can either work toward or resolution or have WordPress.com explicitly state, "We do not allow traffic that comes from CloudFlare because [it triggers our network protection systems too easily|it violates TOS | we just don't like it]." All of those are okay, so long as we know the policy and can make an informed decision.
If, on the other hand, you tell us "We do not and cannot support off-site DNS or services such as CloudFlare, but we do not block such traffic, either. If you choose to use CloudFlare, you are on your own for issues related to your domain's traffic," then we know that it's time to push back on CloudFlare and let them know that you are NOT blocking traffic from their servers, and it's time to point the finger away from WordPress.com and back at them.
Can you please help us determine which of those two is closer to the official stance, so we know what to do next?